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Summary 

For  more  than  a decade,  various  experts  have  expressed  increasing  concerns  about  cybersecurity, 
in  light  of  the  growing  frequency,  impact,  and  sophistication  of  attacks  on  information  systems  in 
the  United  States  and  abroad.  Consensus  has  also  been  building  that  the  current  legislative 
framework  for  cybersecurity  might  need  to  be  revised. 

The  complex  federal  role  in  cybersecurity  involves  both  securing  federal  systems  and  assisting  in 
protecting  nonfederal  systems.  Under  current  law,  all  federal  agencies  have  cybersecurity 
responsibilities  relating  to  their  own  systems,  and  many  have  sector-specific  responsibilities  for 
critical  infrastructure. 

More  than  50  statutes  address  various  aspects  of  cybersecurity  either  directly  or  indirectly,  but 
there  is  no  overarching  framework  legislation  in  place.  While  revisions  to  most  of  those  laws 
have  been  proposed  over  the  past  few  years,  no  major  cybersecurity  legislation  has  been  enacted 
since  2002. 

Recent  legislative  proposals,  including  many  bills  introduced  in  the  1 1 1th  and  1 12th  Congresses, 
have  focused  largely  on  issues  in  10  broad  areas  (see  “Selected  Issues  Addressed  in  Proposed 
Legislation”  for  an  overview  of  how  current  legislative  proposals  would  address  issues  in  several 
of  those  areas): 

• national  strategy  and  the  role  of  government, 

• reform  of  the  Federal  Information  Security  Management  Act  (F1SMA), 

• protection  of  critical  infrastructure  (including  the  electricity  grid  and  the 
chemical  industry), 

• information  sharing  and  cross-sector  coordination, 

• breaches  resulting  in  theft  or  exposure  of  personal  data  such  as  financial 
information, 

• cybercrime, 

• privacy  in  the  context  of  electronic  commerce, 

• international  efforts, 

• research  and  development,  and 

• the  cybersecurity  workforce. 

For  most  of  those  topics,  at  least  some  of  the  bills  addressing  them  have  proposed  changes  to 
current  laws.  Several  of  the  bills  specifically  focused  on  cybersecurity  have  received  committee 
or  floor  action,  but  none  have  become  law.  In  the  absence  of  enactment  of  cybersecurity 
legislation,  the  White  Flouse  has  reportedly  considered  issuing  an  executive  order,  but  that  has 
been  opposed  by  some  Members  of  Congress. 

Comprehensive  legislative  proposals  on  cybersecurity  that  have  received  considerable  attention  in 
2012  are  The  Cybersecurity  Act  of  2012  (CSA2012,  S.  2105,  reintroduced  in  revised  form  as  S. 
3414),  recommendations  from  a Flouse  Republican  task  force,  and  a proposal  by  the  Obama 
Administration.  They  differ  in  approach,  with  S.  2105  proposing  the  most  extensive  regulatory 
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framework  and  organizational  changes,  and  the  task  force  recommendations  focusing  more  on 
incentives  for  improving  private-sector  cybersecurity.  An  alternative  to  S.  2105  and  S.  3414,  S. 
3342  (a  refinement  of  S.  2151),  does  not  include  enhanced  regulatory  authority  or  new  federal 
entities,  but  does  include  cybercrime  provisions.  S.  3414  was  debated  in  the  Senate  but  failed  a 
cloture  vote. 

Several  narrower  House  bills  have  been  introduced  that  address  some  of  the  issues  raised  and 
recommendations  made  by  the  House  task  force.  Four  passed  the  House  the  week  of  April  23: 

• Cybersecurity  Enhancement  Act  of  201 1 (H.R.  2096),  which  addresses  federal 
cybersecurity  R&D  and  the  development  of  technical  standards; 

• Cyber  Intelligence  Sharing  and  Protection  Act  (H.R.  3523),  which  focuses  on 
information  sharing  and  coordination,  including  sharing  of  classified 
information; 

• Advancing  America’s  Networking  and  Information  Technology  Research  and 
Development  Act  of  2012  (H.R.  3834),  which  addresses  R&D  in  networking  and 
information  technology,  including  but  not  limited  to  security;  and 

• Federal  Information  Security  Amendments  Act  of  2012  (H.R.  4257),  which 
addresses  F1SMA  reform. 

One  was  ordered  reported  out  of  the  full  committee  but  did  not  come  to  the  floor: 

• Promoting  and  Enhancing  Cybersecurity  and  Information  Sharing  Effectiveness 
Act  of  2011  or  PRECISE  Act  of  2011  (H.R.  3674),  which  addresses  the  role  of 
the  Department  of  Homeland  Security  in  cybersecurity,  including  protection  of 
federal  systems,  personnel,  R&D,  information  sharing,  and  public/private  sector 
collaboration  in  protecting  critical  infrastructure; 

Together,  those  House  and  Senate  bills  address  most  of  the  issues  listed  above,  although  in 
different  ways.  All  include  proposed  revisions  to  some  existing  laws  covered  in  this  report. 
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Introduction 

For  more  than  a decade,  various  experts  have  expressed  concerns  about  information-system 
security — often  referred  to  as  cybersecurity — in  the  United  States  and  abroad.1  The  frequency, 
impact,  and  sophistication  of  attacks  on  those  systems  has  added  urgency  to  the  concerns.2 
Consensus  has  also  been  growing  that  the  current  legislative  framework  for  cybersecurity  might 
need  to  be  revised  to  address  needs  for  improved  cybersecurity,  especially  given  the  continuing 
evolution  of  the  technology  and  threat  environments.  This  report,  with  contributions  from  several 
CRS  staff  (see  Acknowledgments),  discusses  that  framework  and  proposals  to  amend  more  than 
30  acts  of  Congress  that  are  part  of  or  relevant  to  it.  For  a CRS  compilation  of  reports  and  other 
resources  on  cybersecurity,  see  CRS  Report  R42507,  Cybersecurity : Authoritative  Reports  and 
Resources,  by  Rita  Tehan.  For  additional  selected  CRS  reports  relevant  to  cybersecurity,  see  CRS 
Issues  in  Focus:  Cybersecurity. 


Current  Legislative  Framework 

The  federal  role  in  addressing  cybersecurity  is  complex.  It  involves  both  securing  federal  systems 
and  fulfilling  the  appropriate  federal  role  in  protecting  nonfederal  systems.  There  is  as  yet  no 
overarching  framework  legislation  in  place,  but  many  enacted  statutes  address  various  aspects  of 
cybersecurity.  Some  notable  provisions  are  in  the  following  acts: 


1 The  term  information  systems  is  defined  in  44  U.S.C.  §3502  as  “a  discrete  set  of  information  resources  organized  for 
the  collection,  processing,  maintenance,  use,  sharing,  dissemination,  or  disposition  of  information,”  where  information 
resources  is  “information  and  related  resources,  such  as  personnel,  equipment,  funds,  and  information  technology.” 
Thus  cybersecurity,  a broad  and  arguably  somewhat  fuzzy  concept  for  which  there  is  no  consensus  definition,  might 
best  be  described  as  measures  intended  to  protect  information  systems — including  technology  (such  as  devices, 
networks,  and  software),  infonnation,  and  associated  personnel — from  various  forms  of  attack.  The  concept  has, 
however,  been  characterized  in  various  ways.  For  example,  the  interagency  Committee  on  National  Security  Systems 
has  defined  it  as  “the  ability  to  protect  or  defend  the  use  of  cyberspace  from  cyber  attacks,”  where  cyberspace  is 
defined  as  “a  global  domain  within  the  infonnation  environment  consisting  of  the  interdependent  network  of 
information  systems  infrastmctures  including  the  Internet,  telecommunications  networks,  computer  systems,  and 
embedded  processors  and  controllers”  (Committee  on  National  Security  Systems,  National  Information  Assurance  (IA) 
Glossary,  April  2010,  http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf).  In  contrast,  cybersecurity  has  also  been  defined 
as  synonymous  with  information  security  (see,  for  example,  S.  773,  the  Cybersecurity  Act  of  2010,  in  the  1 1 1th 
Congress),  which  is  defined  in  current  law  (44  U.S.C.  §3532(b)(l ))  as 

protecting  infonnation  and  infonnation  systems  from  unauthorized  access,  use,  disclosure,  disruption, 
modification,  or  destruction  in  order  to  provide — 

(A)  integrity,  which  means  guarding  against  improper  information  modification  or  destruction,  and 
includes  ensuring  infonnation  nonrepudiation  and  authenticity; 

(B)  confidentiality,  which  means  preserving  authorized  restrictions  on  access  and  disclosure,  including 
means  for  protecting  personal  privacy  and  proprietary  infonnation; 

(C)  availability,  which  means  ensuring  timely  and  reliable  access  to  and  use  of  information;  and 

(D)  authentication,  which  means  utilizing  digital  credentials  to  assure  the  identity  of  users  and  validate 
their  access. 

2 See,  for  example,  IBM,  IBM X-Force®  2011  Mid-year  Trend  and  Risk  Report,  September  2011, 
http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03009usen/WGL03009USEN.PDF;  Barbara  Kay  and  Paula  Greve, 
Mapping  the  Med  Web  IV  (McAfee,  September  28,  2010),  http://us.mcafee.com/en-us/local/docs/MTMW_Report.pdf; 
Office  of  the  National  Counterintelligence  Executive,  Foreign  Spies  Stealing  U.S.  Economic  Secrets  in  Cyberspace: 
Report  to  Congress  on  Foreign  Economic  Collection  and  Industrial  Espionage,  2009-2011,  October  2011, 
http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_20 1 1 .pdf;  Symantec,  Symantec 
Internet  Security  Threat  Report:  Trends  for  2010,  Volume  16,  April  2011,  https://www4.symantec.com/mktginfo/ 
downloads/2 1 1 82883_GA_REPORT_ISTR  Main-Report_04- 1 l_HI-RES.pdf. 
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• The  Counterfeit  Access  Device  and  Computer  Fraud  and  Abuse  Act  of  1984 
prohibits  various  attacks  on  federal  computer  systems  and  on  those  used  by  hanks 
and  in  interstate  and  foreign  commerce. 

• The  Electronic  Communications  Privacy  Act  of  1986  (ECPA)  prohibits 
unauthorized  electronic  eavesdropping. 

• The  Computer  Security  Act  of  1987  gave  the  National  Institute  of  Standards  and 
Technology  (NIST)  responsibility  for  developing  security  standards  for  federal 
computer  systems,  except  the  national  security  systems3  that  are  used  for  defense 
and  intelligence  missions,  and  gave  responsibility  to  the  Secretary  of  Commerce 
for  promulgating  security  standards. 

• The  Paper-work  Reduction  Act  of 1995  gave  the  Office  of  Management  and 
Budget  (OMB)  responsibility  for  developing  cybersecurity  policies. 

• The  Clinger-Cohen  Act  of 1996  made  agency  heads  responsible  for  ensuring  the 
adequacy  of  agency  information-security  policies  and  procedures,  established  the 
chief  information  officer  (CIO)  position  in  agencies,  and  gave  the  Secretary  of 
Commerce  authority  to  make  promulgated  security  standards  mandatory. 

• The  Homeland  Security > Act  of 2002  (HSA)  gave  the  Department  of  Homeland 
Security  (DHS)  some  cybersecurity  responsibilities  in  addition  to  those  implied 
by  its  general  responsibilities  for  homeland  security  and  critical  infrastructure. 

• The  Cyber  Security  Research  and  Development  Act,  also  enacted  in  2002, 
established  research  responsibilities  in  cybersecurity  for  the  National  Science 
Foundation  (NSF)  and  NIST. 

• The  E-Government  Act  of 2002  serves  as  the  primary  legislative  vehicle  to  guide 
federal  IT  management  and  initiatives  to  make  information  and  services  available 
online,  and  includes  various  cybersecurity  requirements. 

• The  Federal  Information  Security  Management  Act  of 2002  (FISMA)  clarified 
and  strengthened  NIST  and  agency  cybersecurity  responsibilities,  established  a 
central  federal  incident  center,  and  made  OMB,  rather  than  the  Secretary  of 
Commerce,  responsible  for  promulgating  federal  cybersecurity  standards. 

More  than  40  other  laws  identified  by  CRS  also  have  provisions  relating  to  cybersecurity  (see 
Table  2).  Revisions  to  many  of  those  laws  have  been  proposed.  More  than  40  bills  and 
resolutions  with  provisions  related  to  cybersecurity  have  been  introduced  in  the  1 12th  Congress, 
including  several  proposing  revisions  to  current  laws.  In  the  1 1 1th  Congress,  the  total  was  more 


3 This  terni  is  defined  in  44  U.S.C.  §3542(b)(2). 
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than  60.4  Several  bills  in  both  Congresses  received  committee  or  floor  action,  but  none  have 
become  law.  In  fact,  no  comprehensive  cybersecurity  legislation  has  been  enacted  since  2002.5 


Executive  Branch  Actions 

Some  significant  executive  actions  have  been  taken,  however.6  The  George  W.  Bush 
Administration  established  the  Comprehensive  National  Cybersecurity  Initiative  (CNCI)  in  2008 
through  National  Security  Presidential  Directive  54  / Homeland  Security  Presidential  Directive 
23  (NSPD-54/HSPD-23).  Those  documents  are  classified,  but  the  Obama  Administration  released 
a description  of  them  in  March  2010. 7 Goals  of  the  12  subinitiatives  in  that  description  include 
consolidating  external  access  points  to  federal  systems;  deploying  intrusion  detection  and 
prevention  systems  across  those  systems;  improving  research  coordination  and  prioritization  and 
developing  “next-generation”  technology,  information  sharing,  and  cybersecurity  education  and 
awareness;  mitigating  risks  from  the  global  supply  chain  for  information  technology;  and 
clarifying  the  federal  role  in  protecting  critical  infrastructure. 

In  December  2009,  the  Obama  Administration  appointed  Howard  Schmidt  to  the  position  of 
White  House  Cybersecurity  Coordinator.8  He  is  a member  of  the  White  House  national  security 
staff  and  is  responsible  for  government-wide  coordination  of  cybersecurity,  including  the  CNCI. 
One  of  the  most  visible  initiatives  in  which  he  has  been  involved  is  the  implementation  of 
automated,  continuous  monitoring  of  federal  information  systems.9  Other  stated  priorities  include 
developing  a unified  strategy  for  network  security  and  incident  response,  and  strengthening 
partnerships  with  the  private  sector  and  other  countries.  He  works  with  both  the  National  Security 
and  Economic  Councils  in  the  White  House.  However,  the  position  has  no  direct  control  over 
agency  budgets,  and  some  observers  argue  that  operational  entities  such  as  the  National  Security 


4 Those  bills  were  identified  through  a two-step  process — candidates  were  found  through  searches  of  the  Legislative 
Infonnation  System  (LIS,  http://www.congress.gov)  using  “cybersecurity,”  “information  systems,”  and  other  relevant 
terns  in  the  text  of  the  bills,  followed  by  examination  of  that  text  in  the  candidates  to  determine  relevance  for 
cybersecurity.  Use  of  other  criteria  may  lead  to  somewhat  different  results.  For  example,  using  the  LIS  “cybersecurity” 
topic  search  yields  about  30  bills  in  the  1 12th  Congress  and  40  in  the  1 1 1th,  with  about  a 50%  overlap  in  the  bills 
included.  While  that  difference  is  higher  than  might  be  expected,  none  of  the  bills  identified  uniquely  by  the  LIS  topic 
search  are  relevant  to  the  discussion  in  this  report. 

5 Among  the  broader  proposals  in  the  11 1th  Congress,  S.  773  (S.Rept.  111-384)  and  S.  3480  (S.Rept.  1 1 1-368)  were 
reported  by  the  originating  committees.  H.R.  4061  (H.Rept.  1 1 1-405)  and  H.R.  5136  (Title  XVII,  mostly  similar  to 
H.R.  4900)  both  passed  the  House.  A bill  combining  provisions  of  the  two  Senate  bills  was  drafted  (Tony  Romm, 
“Lack  of  Direction  Slows  Cybersecurity,”  Politico , November  4,  2010,  http://www.politico.eom/news/stories/l  110/ 
44662.html).  In  the  1 12th  Congress,  S.  413  is  similar  to  S.  3480  in  the  previous  Congress,  H.R.  2096  (H.Rept.  1 12-264) 
is  similar  to  H.R.  4061,  and  the  Senate  combined  bill,  S.  2105,  includes  elements  of  S.  773,  S.  413,  S.  2102,  and  a 
proposal  put  forward  by  the  White  House  in  April  2011  (see  below). 

6 This  update  does  not  include  executive  branch  actions  taken  since  December  2011. 

7 The  White  House,  “The  Comprehensive  National  Cybersecurity  Initiative,”  March  5,  2010, 

http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative.  For  additional  information 
about  this  initiative  and  associated  policy  considerations,  see  CRS  Report  R40427,  Comprehensive  National 
Cybersecurity  Initiative:  Legal  Authorities  and  Policy  Considerations,  by  John  Rollins  and  Anna  C.  Henning. 

8 The  position  has  been  popularly  called  the  “cyber  czar.” 

9 Jeffrey  Zients,  Vivek  Kundra,  and  Howard  A.  Schmidt,  “FY  2010  Reporting  Instructions  for  the  Federal  Infonnation 
Security  Management  Act  and  Agency  Privacy  Management,”  Office  of  Management  and  Budget,  Memorandum  for 
Heads  of  Executive  Departments  and  Agencies  M-10-15,  April  21,  2010,  http://www.whitehouse.gov/omb/assets/ 
memoranda_20 1 0/m  1 0- 1 5 .pdf. 
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Agency  (NSA)  have  far  greater  influence  and  authority.10  The  Obama  Administration  has  also 
launched  several  initiatives.11 

Under  current  law,  all  federal  agencies  have  cybersecurity  responsibilities  relating  to  their  own 
systems,  and  many  have  sector-specific  responsibilities  for  critical  infrastructure,  such  as  the 
Department  of  Transportation  for  the  transportation  sector.  Cross-agency  responsibilities  are 
complex,  and  any  brief  description  is  necessarily  oversimplified.  In  general,  in  addition  to  the 
roles  of  White  House  entities,  DHS  is  the  primary  civil-sector  cybersecurity  agency.  NIST,  in  the 
Department  of  Commerce,  develops  cybersecurity  standards  and  guidelines  that  are  promulgated 
by  OMB,  and  the  Department  of  Justice  is  largely  responsible  for  the  enforcement  of  laws 
relating  to  cybersecurity.12  The  National  Science  Foundation  (NSF),  NIST,  and  DHS  all  perform 
research  and  development  (R&D)  related  to  cybersecurity.  The  National  Security  Agency  (NSA) 
is  the  primary  cybersecurity  agency  in  the  national  security  sector,  although  other  agencies  also 
play  significant  roles.  The  recently  established  U.S.  Cyber  Command,  part  of  the  U.S.  Strategic 
Command  in  the  Department  of  Defense  (DOD),  has  primary  responsibility  for  military 
cyberspace  operations. 


Legislative  Proposals 

In  general,  legislative  proposals  on  cybersecurity  in  the  1 1 1th  and  1 12th  Congresses  have  focused 
largely  on  issues  in  10  broad  areas: 

• national  strategy  and  the  role  of  government, 

• reform  of  F1SMA, 

• protection  of  critical  infrastructure  (especially  the  electricity  grid  and  the 
chemical  industry), 

• information  sharing  and  cross-sector  coordination, 

• breaches  resulting  in  theft  or  exposure  of  personal  data  such  as  financial 
information, 

• cybercrime  offenses  and  penalties, 

• privacy  in  the  context  of  electronic  commerce, 

• international  efforts, 

• research  and  development  (R&D),  and 


10  See,  for  example,  Seymour  M.  Hersh,  “Judging  the  cyber  war  terrorist  threat,”  The  New  Yorker , November  1,  2010, 
http://www.newyorker.eom/reporting/2010/l  1/01/101 101  fa_fact_hersh?currentPage=all. 

1 1 Among  them  are  White  House  strategies  to  improve  the  security  of  Internet  transactions  (The  White  House,  National 
Strategy  for  Trusted  Identities  in  Cyberspace,  April  2011,  http://www.whitehouse.gov/sites/default/files/rss_viewer/ 
NSTICstrategy_04151  l.pdf)  and  to  coordinate  international  efforts  (The  White  House,  International  Strategy  for 
Cyberspace,  May  2011,  http://www.whitehouse.gov/sites/default/files/rss_viewer/ 

intemational_strategy_for_cyberspace.pdf),  and  an  executive  order  on  sharing  and  security  for  classified  infonnation 
(Executive  Order  13587,  “Structural  Reforms  to  Improve  the  Security  of  Classified  Networks  and  the  Responsible 
Sharing  and  Safeguarding  of  Classified  Information,”  Federal  Register  76,  no.  198  (October  13,  201 1):  63811-63815, 
http://www.gpo.gov/fdsys/pkg/FR-201  l-lO-D/pdf^Ol  l-26729.pdf). 

12  This  responsibility  is  shared  to  some  extent  with  other  agencies  such  as  the  U.S.  Secret  Service. 
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• the  cybersecurity  workforce. 

For  most  of  those  topics,  at  least  some  of  the  bills  addressing  them  proposed  changes  to  current 
laws.13 

Selected  Legislative  Proposals  in  the  112th  Congress 

There  appears  to  be  considerable  support  in  principle  for  significant  legislation  to  address  most  of 
those  issues.  The  House,  Senate,  and  White  House  have  taken  somewhat  different  approaches  to 
such  legislation. 

The  Senate  has  been  working  since  last  year  on  a comprehensive  bill  synthesizing  approaches 
proposed  by  the  Homeland  Security  and  Governmental  Affairs  Committee  (S.  3480  in  the  1 1 1th 
Congress  and  S.  413  in  the  112th),  the  Commerce,  Science,  and  Transportation  Committee  (S.  773 
in  the  111th  Congress),  and  others.  S.  2105,  the  Cybersecurity  Act  of  2012,  which  includes 
features  of  both  those  bills  and  others,14  was  introduced  in  February  2012.  Arevised  version,  S. 
3414,  also  known  as  CSA2012,  was  introduced  in  July.  An  alternative  Senate  bill,  S.  3342,  the 
SECURE  IT  Act,15  is  a revision  of  S.  21 5 1 , which  was  originally  introduced  in  March.16  Several 
other  Senate  bills  would  address  specific  aspects  of  cybersecurity,  such  as  data  breaches  of 
personal  information  and  cybercrime.  S.  3342  was  debated  in  the  Senate  in  July.  A cloture  motion 
failed  on  August  2,  but  further  action  may  be  taken  on  the  bill  before  the  end  of  the  session. 

In  April  2011,  the  White  House  sent  a comprehensive,  seven-part  legislative  proposal  ( White 
House  Proposal ) to  Congress.17  Some  elements  of  that  proposal  have  been  included  in  both 
House  and  Senate  bills.  The  White  House  is  also  reportedly  considering  issuing  an  executive 
order  on  cybersecurity  that  would  implement  some  additional  measures  for  information  sharing 
and  protection  of  critical  infrastructure.16  Opposition  to  such  an  action  has  been  expressed  by 
some  Members  of  Congress,  citing  reasons  relating  to  potential  impacts  on  legislative  efforts,  the 
private  sector,  and  international  negotiations.19 


13  For  specific  analysis  of  legal  issues  associated  with  several  of  the  bills  being  debated  in  the  1 12th  Congress,  see  CRS 
Report  R42409,  Cybersecurity:  Selected  Legal  Issues,  by  Edward  C.  Liu  et  al. 

14  The  title  on  infonnation  sharing  is  similar  to  S.  2102. 

15  SECURE  IT  is  an  acronym  for  Strengthening  and  Enhancing  Cybersecurity  by  Using  Research,  Education, 
Infonnation  and  Technology. 

16  A very  similar  but  not  identical  bill,  H.R.  4263,  was  introduced  in  the  House  April  9.  It  is  not  discussed  separately  in 
this  update. 

17  The  White  House,  Complete  Cybersecurity  Proposal,  201 1,  http://www.whitehouse.gov/sites/default/files/omb/ 
legislative/letters/law-enforcement-provisions-related-to-computer-security-full-bill.pdf.  One  part  does  not  appear  to  be 
directly  related  to  cybersecurity.  It  would  restrict  the  authority  of  state  and  local  jurisdictions  with  respect  to  the 
location  of  commercial  data  centers. 

ls  Josh  Smith,  “GOP  Senators  Assail  White  House  for  Pushing  Executive  Order  on  Cybersecurity,”  Nextgov, 

September  14,  2012,  http://www.nextgov.coin/cybersecurity/2012/09/gop-senators-assail-white-house-pushing- 
executive-order-cybersecurity/ 58123/. 

19  The  Honorable  Fred  Upton  et  al.  to  President  Barack  Obama,  October  1 1,  2012, 

http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/letters/2012101 1 Cybersecurity. pd 
f;  Senate  Committee  on  Homeland  Security  and  Government  Affairs,  “Senators  Collins,  Snowe,  and  Lugar  to  White 
House:  Refrain  from  Executive  Order  on  Cybersecurity,”  Press  Release,  October  10,  2012, 

http://www.hsgac.senate.gov/media/minority-media/senators-collins-snowe-and-lugar-to-white-house-refrain-from- 

executive-order-on-cybersecurity. 
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In  October,  the  12-Member  House  Republican  Cybersecurity  Task  Force,  which  had  been  formed 
by  Speaker  Boehner  in  June,  released  a series  of  recommendations  (Task  Force  Report)  to  be  used 
by  House  committees  in  developing  cybersecurity  legislation.20  Unlike  the  other  proposals,  it  was 
not  presented  in  the  form  of  a bill  or  bills.  Several  House  bills  have  been  introduced  subsequently 
that  address  some  of  the  issues  raised  and  recommendations  made  by  the  Task  Force  Report.  Four 
passed  the  House  the  week  of  April  23: 

• Cybersecurity  Enhancement  Act  of  20 1 1 (H.R.  2096),  which  would  addresses 
federal  cybersecurity  R&D  and  the  development  of  technical  standards; 

• Cyber  Intelligence  Sharing  and  Protection  Act  (H.R.  3523),  which  focuses  on 
information  sharing  and  coordination,  including  sharing  of  classified 
information;21 

• Advancing  America’s  Networking  and  Information  Technology  Research  and 
Development  Act  of  2012  (H.R.  3834),  which  addresses  R&D  in  networking  and 
information  technology,  including  but  not  limited  to  security;22  and 

• Federal  Information  Security  Amendments  Act  of  2012  (H.R.  4257),  which 
addresses  FISMA  reform. 

A fifth  bill  was  ordered  reported  out  of  full  committee  on  April  1 8 but  was  not  included  in  the 
cybersecurity  bills  debated  on  the  House  floor  the  week  of  April  23 :23 

• Promoting  and  Enhancing  Cybersecurity  and  Information  Sharing  Effectiveness 
Act  of  2011  or  PRECISE  Act  of  2011  (H.R.  3674),  which  addresses  the  role  of 
the  Department  of  Homeland  Security  in  cybersecurity,  including  protection  of 
federal  systems,  personnel,  R&D,  information  sharing,  and  public/private  sector 
collaboration  in  protecting  critical  infrastructure. 

Specific  issues  addressed  by  several  of  those  bills  and  proposals  are  noted  in  Table  1.  Together, 
they  address  most  of  the  issues  listed  above,  although  in  different  ways.  All  include  or  discuss 
proposed  revisions  to  some  existing  laws  covered  in  this  report. 


20  House  Republican  Cybersecurity  Task  Force,  Recommendations  of  the  House  Republican  Cybersecurity  Task  Force, 
October  5,  201 1,  http://thomberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf. 

21  The  Obama  Administration  has  objected  to  this  bill,  claiming  that  it  does  not  address  cybersecurity  needs  for  critical 
infrastructure,  and  contains  overly  broad  liability  protections  for  private-sector  entities  and  insufficient  protections  for 
individual  privacy,  confidentiality,  and  civil  liberties  (The  White  House,  "H.R.  3523 — Cyber  Intelligence  Sharing  and 
Protection  Act,”  Statement  of  Administration  Policy,  April  25,  2012,  http://www.whitehouse.gov/sites/default/files/ 
omb/legislative/sap/1 12/saphr3523r_20120425.pdf).  The  Administration  has  not  released  statements  of  administration 
policy  for  any  of  the  other  bills  discussed  in  this  report. 

22  For  discussion  of  this  bill  and  H.R.  2096,  see  also  CRS  Report  RL33586,  The  Federal  Networking  and  Information 
Technology  Research  and  Development  Program:  Background.  Funding,  and  Activities,  by  Patricia  Moloney  Figliola. 

23  H.R.  3674  was  marked  up  by  the  Subcommittee  on  Cybersecurity,  Infrastructure  Protection,  and  Security 
Technologies  of  the  Committee  on  Homeland  Security  on  February  1 and  forwarded  to  the  full  committee,  which 
substantially  amended  the  bill  in  its  April  18  markup. 
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Table  I.  Comparison  ofTopics  Addressed  by  Selected  Legislative  Proposals 
on  Cybersecurity  in  the  I 1 2th  Congress 


Topic 

Selected 

House 

Bills 

Task 

Force 

Report 

S.  2105 

S.  3414 

S.  3342 
(S.  2151) 

White 

House 

Proposal 

DHS  authorities  for  protection 
of  federal  systems 

H.R.  3674 

X 

X 

X 

X 

New  DHS  office/center 

H.R.  3674 

X 

X 

X 

Cybersecurity  workforce 
authorities  and  programs 

H.R.  2096 
H.R.  3674 
H.R.  3834 

X 

X 

X 

X 

X 

Supply-chain  vulnerabilities 

H.R.  3674 

X 

X 

X 

X 

Cybersecurity  R&D 

H.R.  2096 
H.R.  3674 
H.R.  3834 

X 

X 

X 

X 

X 

FISMA  reform 

H.R.  4257 

X 

X 

X 

X 

X 

Protection  of  privately  held 
critical  infrastructure  (Cl) 

H.R.  3674 

X 

X* 

x* 

X 

Government/private-sector 
collaboration  on  Cl  protection 

H.R.  3674 

X 

X 

X 

X 

Additional  regulation  of 
privately  held  critical 
infrastructure 

X 

X 

X 

X 

Information  sharing 

H.R.  3523 
H.R.  3674 

X 

X 

X 

X 

X 

FOIA  exemption  for 
cybersecurity  information 

H.R.  3523 

X 

X 

X 

X 

X 

New  information-sharing 
entities 

(H.R. 

3674)b 

X 

X 

X 

Public  awareness 

H.R.  2096 

X 

X 

X 

X 

Cybercrime  law 

X 

X 

X 

Data  breach  notification 

X 

X 

Internet  security  provider 
code  of  conduct 

X 

National  security/defense  and 
federal  civil  sector 
coordination 

X 

Source:  CRS. 

Note:  S.  3342  is  a revised 

version  of  S.  2 

151,  and  S.  3414 

is  a revised 

version  of  S.  2 

105. 

a.  S.  3414  would  permit  regulatory  agencies  to  adopt  certain  cybersecurity  practices  as  mandatory 
requirements,  but  does  not  provide  regulatory  authority  beyond  that  in  other  law.  S.  2105  would  provide 
the  Secretary  of  Homeland  Security  with  new  regulatory  authority  for  cybersecurity. 

b.  The  subcommittee  version  of  this  bill  would  have  created  a new  nonprofit  quasi-governmental  information- 
sharing entity,  but  the  committee  version  omitted  those  provisions  (see  “Information  Sharing”  below). 
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Those  addressed  in  the  House  bills  are 

• “Cyber  Security  Research  and  Development  Act,  2002”  (H.R.  2096,  S.  2105,  S. 

2151,  S.  3342,  S.  3414); 

• “Federal  Information  Security  Management  Act  of  2002  (F1SMA)”  (H.R.  4257, 
the  Task  Force  Report,  S.  2105,  S.  2151,  S.  3342,  S.  3414,  the  White  House 
Proposal)', 

• “High  Performance  Computing  Act  of  1991”  (H.R.  3834,  S.  2105,  S.  2151,  S. 

3342,  S.  3414) 

• “Homeland  Security  Act  of  2002  (HSA)”  (H.R.  3674,  S.  2105,  S.  3414,  the  White 
House  Proposal)',  and 

• “National  Security  Act  of  1947”  (H.R.  3523). 

Those  addressed  in  other  legislative  proposals  are 

• “Antitrust  Laws  and  Section  5 of  the  Federal  Trade  Commission  Act”  {Task 
Force  Report,  S.  2151,  S.  3342) 

• “Clinger-Cohen  Act  (Information  Technology  Management  Reform  Act)  of 
1996”  (S.  2105,  S.  3414,  White  House  Proposal)™ 

• “Counterfeit  Access  Device  and  Computer  Fraud  and  Abuse  Act  of  1984”  (Task 
Force  Report,  S.  2151,  S.  3342,  White  House  Proposal)', 

• “E-Government  Act  of  2002”  ( White  House  Proposal)', 

• “Electronic  C ommunications  Privacy  Act  of  1 986  (ECPA)”  ( Task  Force  Report)', 

• “Identity  Theft  Penalty  Enhancement  Act”  ( Task  Force  Report)',  and 

• “Racketeer  Influenced  and  Corrupt  Organizations  Act  (RICO)”  {Task  Force 
Report). 

Also,  some  legislative  proposals  would  provide  exemptions  under  the  “Freedom  of  Information 
Act  (FOIA)”  for  certain  kinds  of  information  provided  to  the  federal  government  {Task  Force 
Report,  H.R.  3523,  S.  2105,  S.  2151,  S.  3342,  S.  3414,  White  House  Proposal).  H.R.  3523,  S. 
2151,  and  S.  3342  would  also  permit  information  sharing  that  might  otherwise  be  subject  to 
antitrust  or  other  restrictions  on  sharing,25  and  the  Task  Force  Report  states  that  an  antitrust 
exemption  might  be  necessary. 

Selected  Issues  Addressed  in  Proposed  Legislation 

The  proposals  listed  in  Table  1 take  a range  of  approaches  to  address  issues  in  cybersecurity.  The 
discussion  below  compares  those  approaches  for  several  issues — “DHS  Authorities  for  Protection 
of  Federal  Systems,”  the  “Cybersecurity  Workforce,”  “Research  and  Development,”  “F1SMA 
Reform,”  “Protection  of  Privately  Held  Critical  Infrastructure  (Cl),”  and  “Information  Sharing.” 
For  discussion  of  legal  issues  associated  with  protection  of  federal  systems,  critical  infrastructure, 


24  See  also  “Federal  Information  Security  Management  Act  of  2002  (FISMA).” 

25  See  CRS  Report  R42409,  Cybersecurity:  Selected  Legal  Issues  for  more  detail. 
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and  information  sharing,  see  CRS  Report  R42409,  Cybersecurity:  Selected  Legal  Issues,  by 
Edward  C.  Liu  et  al. 

DHS  Authorities  for  Protection  of  Federal  Systems 

DHS  currently  has  very  limited  statutory  responsibility  for  the  protection  of  federal  information 
systems.  The  degree  to  which  its  role  should  be  modified  has  been  a matter  of  some  debate.  Five 
of  the  legislative  proposals  listed  in  Table  1 address  DHS  authorities  for  federal  civil  systems.26 
All  five  bills  would  enhance  DHS  authorities,  although  to  varying  degrees  and  in  varying  ways. 

The  Task  Force  Report  proposes  that  Congress  “formalize”  DHS’s  current  coordinating  role  in 
cybersecurity.  H.R.  3674  would  add  new  provisions  on  DHS  cybersecurity  activities  to  Title  11  of 
HSA;  S.  2105,  S.  3414,  and  the  White  House  Proposal  would  add  a new  subtitle  to  HSA.  All  four 
proposals  would  provide  specific  authorities  and  responsibilities  to  DHS  for  risk  assessments, 
protective  capabilities,  and  operational  cybersecurity  activities. 

S.  2105  and  S.  3414  have  similar  provisions  that  would  create  a new,  consolidated  DHS 
cybersecurity  and  communications  center  with  a Senate-confirmed  director  who  would  be 
responsible  for  managing  federal  cybersecurity  efforts;  for  developing  and  implementing 
information-security  policies,  principles,  and  guidelines;  and  other  functions,  including  risk 
assessments  and  other  activities  to  protect  federal  systems.  The  White  House  Proposal  would 
provide  such  enhanced  authority  to  the  DHS  Secretary  rather  than  a new  center.  However,  the 
White  House  Proposal  would  require  the  Secretary  to  establish  a center  with  responsibilities  for 
protecting  federal  information  systems,  facilitating  information  sharing,  and  coordinating  incident 
response.  H.R.  3674  would  establish  a DHS  center  with  responsibility  for  information  sharing 
(see  “Information  Sharing”)  and  technical  assistance,  and  would  authorize  DHS  to  conduct 
specific  activities  to  protect  federal  systems,  including  risk  assessments  and  access  to  agency 
information-system  traffic. 

S.  2151  would  not  amend  the  HSA  but  would  provide  the  Secretary  of  Homeland  Security  with 
new  responsibilities  under  F1SMA.  S.  3342  omits  some  of  those  responsibilities  and  modifies 
others  (see  “F1SMA  Reform”). 

Cybersecurity  Workforce 

Concerns  have  been  raised  for  several  years  about  the  size,  skills,  and  preparation  of  the  federal 
and  private-sector  cybersecurity  workforce.27  Six  proposals  in  Table  1 would  address  those 
concerns  in  various  ways: 


26  As  used  here,  civil  systems  means  federal  information  systems  other  than  national  security  systems  (defined  in  44 
U.S.C.  §3542)  and  mission-critical  Department  of  Defense  and  Intelligence  Community  systems  (i.e.,  compromise  of 
those  systems  “would  have  a debilitating  impact  on  the  mission”  of  the  agencies  [see  44  U.S.C.  3543(c)]). 

27  See,  for  example,  CSIS  Commission  on  Cybersecurity  for  the  44th  Presidency,  Securing  Cyberspace  for  the  44,h 
Presidency,  December  2008,  http://www.csis.org/tech/cyber/;  Partnership  for  Public  Service  and  Booz  Allen  Hamilton, 
Cyber  IN-Security:  Strengthening  the  Federal  Cybersecurity  Workforce , July  2009,  http://ourpublicservice.org/OPS/ 
publications/download.php?id=135;  CSIS  Commission  on  Cybersecurity  for  the  44th  Presidency,  A Human  Capital 
Crisis  in  Cybersecurity,  July  2010,  http://csis.org/files/publication/ 
100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf. 
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• Provide  additional  federal  hiring  and  compensation  authorities  ( Task  Force 
Report,  H.R.  3674,  S.  2105,  S.  3414,  White  House  Proposal). 

• Establish  or  enhance  educational  programs  for  development  of  next-generation 
cybersecurity  professionals28  (Task  Force  Report,  H.R.  2096,  H.R.  3834,  S.  2105, 

S.  3414,  S.  2151,  S.  3342). 

• Assess  workforce  needs  (H.R.  2096,  S.  2105,  S.  3414,  S.  2151,  S.  3342). 

• Use  public/private-sector  personnel  exchanges  ( Task  Force  Report,  White  Flouse 
Proposal). 

The  workforce-related  provisions  in  S.  2105  and  S.  3414  are  largely  identical.  The  latter  omits 
some  education  provisions  involving  the  Secretary  of  Education  but  adds  an  initiative  on  state  and 
local  education  and  training. 

Research  and  Development 

The  need  for  improvements  in  fundamental  knowledge  of  cybersecurity  and  new  solutions  and 
approaches  has  been  recognized  for  well  over  a decade29  and  was  a factor  in  the  passage  of  the 
Cybersecurity  Research  and  Development  Act  in  2002  (P.L.  107-305,  H.Rept.  107-355).  That  law 
focuses  on  cybersecurity  R&D  by  NSF  and  NIST.  The  Homeland  Security  Act  of  2002,  in 
contrast,  does  not  specifically  mention  cybersecurity  R&D.  However,  DHS  and  several  other 
agencies  make  significant  investments  in  it.  About  60%  of  reported  funding  by  agencies  in 
cybersecurity  and  information  assurance  is  defense-related  (invested  by  the  Defense  Advanced 
Research  Projects  Agency  [DARPA],  NS  A,  and  other  defense  agencies),  with  NSF  accounting  for 
about  15%,  NIST,  DHS,  and  DOE  5%-10%  each.30  Seven  of  the  nine  legislative  proposals  in 
Table  1 address  cybersecurity  R&D.  Five  would  establish  requirements  for  R&D  on  specific 
topics  such  as  detection  of  threats  and  intrusions,  identity  management,  test  beds,  and  supply- 
chain  security.  Agencies  for  which  the  proposals  include  provisions  specifying  research  topics  or 
providing  funding  authorization  include 

• DHS  (H.R.  3674,  S.  2105,  S.  3414), 

• NIST  (H.R.  2096,  S.  2151,  S.  3342), 


2S  This  includes  providing  requirements  or  statutory  authority  for  existing  programs,  such  as  the  joint  NSF/DHS 
Scholarship-for  Service  Program  (see  Office  of  Personnel  Management,  “Federal  Cyber  Service:  Scholarship  For 
Service,”  n.d.,  https://www.sfs.opm.gov/;  National  Science  Foundation,  Federal  Cyber  Service:  Scholarship  for  Service 
(SFS),  NSF  08-600,  Program  Solicitation,  December  2,  2008,  http://www.nsf.gov/pubs/2008/nsf08600/nsf08600.htm), 
the  NSA/DF1S  National  Centers  of  Academic  Excellence  and  National  Security  Agency  (“National  Centers  of 
Academic  Excellence,”  January  10,  2012,  http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml),  and  the  U.S. 
Cyber  Challenge  (National  Board  of  Information  Security  Examiners,  “US  Cyber  Challenge,”  2012, 
https://www.nbise.org/uscc). 

29  See,  for  example,  National  Research  Council,  Trust  in  Cyberspace  (Washington,  DC:  National  Academies  Press, 
1999),  http://www.nap.edu/catalog/6161.html. 

30  The  percentages  were  calculated  from  data  in  Subcommittee  on  Networking  and  Information  Technology  Research 
and  Development,  Committee  on  Technology,  Supplement  to  the  President ’s  Budget  for  Fiscal  Year  2013:  The 
Networking  and  Information  Technology  Research  and  Development  Program,  February  2012,  http://www.nitrd.gov/ 
PUBS%5C2013supplement%5CFY13NITRDSupplement.pdf.  The  total  investment  for  FY201 1 was  $445  million. 
However,  agencies  may  perform  additional  research  not  reported  as  cybersecurity  R&D  (e.g.,  some  research  on 
software  design  or  high-confidence  systems). 
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• NSF  (H.R.  2096,  S.  2105,  S.  2151,  S.  3342,  S.  3414),  and 

• Multiagency31  (H.R.  3834,  S.  2105,  S.  2151,  S.  3342,  S.  3414). 

The  Task  Force  Report,  H.R.  2096,  H.R.  3834,  S.  2105,  S.  2151,  S.  3342,  and  S.  3414  address 
planning  and  coordination  of  research  among  federal  agencies  through  the  White  House  National 
Science  and  Technology  Council  (NSTC)  and  other  entities.  The  White  House  Proposal  does  not 
include  any  specific  R&D  provisions  but  includes  cybersecurity  R&D  among  a set  of  proposed 
requirements  for  the  Secretary  of  Homeland  Security. 

FISMA  Reform 

The  “Federal  Information  Security  Management  Act  of  2002  (FISMA)”  was  enacted  in  2002.  It 
revised  the  framework  that  had  been  enacted  in  several  previous  laws  (see  Table  2).  FISMA  has 
been  criticized  for  focus  on  procedure  and  reporting  rather  than  operational  security,  a lack  of 
widely  accepted  cybersecurity  metrics,  variations  in  agency  interpretation  of  the  mandates  in  the 
act,  excessive  focus  on  individual  information  systems  as  opposed  to  the  agency’s  overall 
information  architecture,  and  insufficient  means  to  enforce  compliance  both  within  and  across 
agencies.  Seven  legislative  proposals  in  the  1 12th  Congress  (the  Task  Force  Report,  H.R.  4257,  S. 
2105,  S.  2151,  S.  3342,  S.  3414,  and  the  White  House  Proposal)  would  revise  FISMA,  while 
retaining  much  of  the  current  framework: 

• All  would  continue  requirements  for  agency-wide  information  security  programs, 
annual  independent  review  of  security  programs,  and  reports  on  program 
effectiveness  and  deficiencies. 

• All  include  requirements  for  continuous  monitoring  of  agency  systems,  including 
automated  monitoring. 

• All  would  retain  the  responsibility  of  NIST  for  development  of  cybersecurity 
standards,  including  compulsory  standards.  H.R.  4257  would  retain  OMB’s 
current  responsibility  for  promulgating  the  standards,  whereas  S.  2105,  S.  2151, 

S.  3342,  S.  3414,  and  the  White  House  Proposal  would  transfer  that 
responsibility  to  the  Secretary  of  Commerce.32 

• H.R.  4257  would  also  retain  OMB’s  current  responsibility  for  overseeing  federal 
information-security  policy  and  evaluating  agency  information-security 
programs.  S.  2105,  S.  3414,  and  the  White  House  Proposal  would  transfer 
authorities  and  functions  for  information  security  policy  from  OMB  to  DHS. 

OMB  has  already  delegated  some  authorities  to  DHS  administratively,33  and  the 


31  For  example,  through  the  Director  of  the  Office  of  Science  and  Technology  Policy  (OSTP). 

32  This  authority  had  been  granted  to  the  Secretary  of  Commerce  under  the  Clinger-Cohen  Act  of  1996  (P.L.  104-106) 
but  was  transferred  to  the  Director  of  OMB  by  the  FISMA  title  in  the  FISA  in  2002  (P.L.  107-296,  Section  1002,  40 
U.S.C.  §11331).  Note  that  the  version  of  the  Chapter  35  provisions  that  is  currently  in  effect  (Subchapter  III)  was 
enacted  by  the  FISMA  title  in  the  E-Government  Act  of  2002  (P.L.  107-347,  Title  III),  but  that  is  not  the  case  for  40 
U.S.C.  §11331,  for  which  the  version  in  the  E-Government  Act  would  have  retained  the  authority  of  the  Secretary  of 
Commerce  to  promulgate  those  standards,  even  though  it  was  enacted  after  the  HSA.  The  reason  for  this  potentially 
confusing  difference  appears  to  be  that  (1)  the  effective  date  of  HSA  was  later  than  that  of  the  E-Government  Act,  and 
(2)  HSA  changed  44  U.S.C.  Chapter  35  by  amending  the  existing  subchapter  II,  which  the  E-Government  Act 
explicitly  suspended  (see  also  “Federal  Information  Security  Management  Act  of  2002  (FISMA)”). 

33  See  Jeffrey  Zients,  Vivek  Kundra,  and  Howard  A.  Schmidt,  “FY  2010  Reporting  Instructions  for  the  Federal 
(continued...) 
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Task  Force  Report  expresses  support  for  that  approach.  S.  2151  and  S.  3342,  in 
contrast,  would  transfer  that  responsibility  to  the  Secretary  of  Commerce. 

However,  none  of  the  proposals  would  give  the  Secretaries  of  Commerce  or 
Homeland  Security  authority  to  approve  or  disapprove  agency  information 
security  plans.  Only  H.R.  4257  would  expressly  retain  OMB’s  current  power  to 
use  its  financial  authority  to  enforce  accountability. 

• S.  2105,  S.  3414,  and  the  White  House  Proposal  would  provide  new  protective 
authorities  to  the  Secretary  of  Homeland  Security,  including  intrusion  detection, 
use  of  countermeasures,  access  to  communications  and  other  system  traffic  at 
agencies,  as  well  as  the  power  to  direct  agencies  to  take  protective  actions  and,  in 
the  case  of  an  imminent  threat,  to  act  without  prior  consultation  to  protect  agency 
systems.  S.  2151  would  provide  DHS  a much  more  limited  role,  requiring  it  to 
conduct  ongoing  security  analyses  using  information  provided  by  the  agencies.  S. 

3342  would  give  that  responsibility  instead  to  OMB. 

• Only  H.R.  4257  would  retain  the  current  F1SMA  provision  giving  OMB 
responsibility  for  ensuring  operation  of  a federal  incident  center.  However,  S. 

2105,  S.  3414,  and  the  White  House  Proposal  each  contain  other  provisions  that 
would  establish  centers  within  DHS  that  would  provide  for  incident  reporting, 
information  sharing,  and  other  cybersecurity  activities.  S.  2151  and  S.  3342,  in 
contrast,  contain  provisions  to  facilitate  reporting  to  a number  of  centers  (see 
“Information  Sharing”  below). 

Protection  of  Privately  Held  Critical  Infrastructure  (Cl) 

The  federal  government  has  identified  18  sectors  of  critical  infrastructure  (Cl),34  much  of  which  is 
owned  by  the  private  sector.  The  federal  role  in  protection  of  privately  held  Cl  has  been  one  of 
the  most  contentious  issues  in  the  debate  about  cybersecurity  legislation.  There  appears  to  be 
broad  agreement  that  additional  actions  are  needed  to  address  the  cybersecurity  risks  to  Cl,35  but 
there  is  considerable  disagreement  about  how  much,  if  any,  additional  federal  regulation  is 
required.  Four  of  the  proposals  in  Table  1 address  protection  of  privately  held  Cl. 


(...continued) 

Infonnation  Security  Management  Act  and  Agency  Privacy  Management,”  Office  of  Management  and  Budget, 
Memorandum  for  Heads  of  Executive  Departments  and  Agencies  M-10-15,  April  21,  2010, 

http://www.whitehouse.gov/omb/assets/memoranda_2010/ml0-15.pdf;  and  Peter  R.  Orszag  and  Howard  A.  Schmidt, 
“Clarifying  Cybersecurity  Responsibilities  and  Activities  of  the  Executive  Office  of  the  President  and  the  Department 
of  Homeland  Security  (DHS),”  Office  of  Management  and  Budget,  Memorandum  for  Heads  of  Executive  Departments 
and  Agencies  M-10-28,  July  6,  2010,  http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/ml0- 
28.pdf. 

34  See  Department  of  Homeland  Security,  “Critical  Infrastructure”,  May  4,  2012,  http://www.dhs.gov/files/programs/ 
gc_l  189 168948944. shtm;  and  CRS  Report  RL30153,  Critical  Infrastructures:  Background,  Policy,  and 
Implementation,  by  John  D.  Moteff. 

35  See,  for  example,  House  Committee  on  Homeland  Security,  Subcommittee  on  Cybersecurity,  Infrastructure 
Protection,  and  Security  Technologies,  Examining  the  Cyber  Threat  to  Critical  Infrastructure  and  the  American 
Economy,  2011,  http://homeland.house.gov/hearing/ subcommittee-hearing-examining-cyber-threat-critical- 
infrastructure-and-american-economy;  Stewart  Baker,  Natalia  Filipiak,  and  Katrina  Timlin,  In  the  Dark:  Crucial 
Industries  Confront  Cyberattacks  (McAfee  and  CSIS,  April  21,  2011),  http://www.mcafee.com/us/resources/reports/rp- 
critical-infrastructure-protection.pdf;  and  R.  E.  Kalin  et  al.,  America ’s  Cyber  Future:  America ’s  Cyber  Future:  Security 
and  Prosperity  in  the  Information  Age  (Center  for  a New  American  Security,  May  31,  2011),  http://www.cnas.org/files/ 
documents/publications/CNAS_Cyber_Volume%20I_0.pdf. 
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Both  S.  2105  and  the  White  House  Proposal  would  require  the  Secretary  of  Homeland  Security  to 

• designate  as  covered  Cl  those  private-sector  Cl  entities  for  which  a successful 
cyberattack  could  have  debilitating  or  catastrophic  impacts  of  national 
significance,36  with  S.  2105  further  requiring  the  Secretary  of  Homeland  Security 
to  perform  a sector-by-sector  risk  assessment  and  use  it  in  prioritizing 
designations, 

• determine  what  cybersecurity  requirements  or  frameworks  are  necessary  to 
protect  them, 

• determine  whether  additional  regulations  are  necessary  to  ensure  that  the 
requirements  are  met, 

• develop  such  regulations  in  consultation  with  government  and  private -sector 
entities,  and 

• enforce  the  regulations. 

The  regulations  proposed  by  S.  2105  would  require  Cl  owners  and  operators,  unless  exempted,37 
to  certify  compliance  annually,  based  on  self-  or  third-party  assessments,  and  would  provide  civil 
penalties  for  noncompliance.  The  Secretary  would  also  be  authorized  to  perform  assessments 
where  risks  justify  such  action. 

S.  3414,  a revision  of  S.  2105,  would  instead  establish  a federal  interagency  council  to  perform 
the  risk  assessments  through  a member  agency,  identify  critical  cyber  infrastructure,  identify  and 
adopt  recommended  practices,  establish  incentive -based  programs  to  encourage  voluntary 
adoption  of  those  practices  by  owners  and  operators,  and  provide  information  and  technical 
assistance  to  them.  The  council  would  be  required  to  coordinate  its  activities  with  relevant 
private-sector  entities.  The  bill  would  permit  federal  regulatory  agencies  to  require  use  of  adopted 
practices  by  Cl  entities  they  regulate,  provided  that  such  actions  are  authorized  by  existing  federal 
law.  S.  3414  would  also  establish  a voluntary  program  to  certify  Cl  entities  as  complying  with  the 
adopted  practices.  It  would  require  the  use  of  third-party  assessments  and  authorize  the  Council  to 
perform  assessments  where  risks  justify  such  action. 

The  White  House  Proposal  would  require  owners  and  operators  of  covered  entities,  unless 
exempted, 3S  to  submit  and  attest  to  compliance  plans,  and  certify  compliance  annually. 
Independent  evaluations  would  be  performed  on  a schedule  determined  by  the  Secretary.  Civil 
penalties,  shutdown  orders,  and  requirements  for  use  of  particular  measures  would  be  prohibited 
as  enforcement  methods. 


36  S.  2105  would  largely  exempt  infomiation  technology  products  and  services  from  designation  as  covered  Cl  and  the 
cybersecurity  regulations  the  bill  would  authorize. 

37  An  entity  would  be  exempted  if  the  Secretary  of  Homeland  Security  determined  that  it  was  already  sufficiently 
secure  or  that  additional  requirements  would  not  substantially  improve  its  security  (Section  105(c)(4)).  The  President 
would  also  be  pennitted  to  exempt  an  entity  from  the  requirements  upon  detennining  that  current  regulations 
sufficiently  mitigate  the  risks  to  the  entity  (Section  104(f)). 

3S  This  exemption  (Section  9(c)  in  the  part  of  the  proposal  on  Cl  protection)  is  similar  to  the  Presidential  exemption  in 
S.  2105  (footnote  37)  except  that  the  White  House  Proposal  would  give  the  authority  to  the  Secretary  of  Homeland 
Security. 
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The  Task  Force  Report  recommends  that  Congress  consider  targeted  and  limited  additional 
regulation  of  highly  regulated  industries  where  required  to  improve  cybersecurity,  and  that 
existing  regulations  be  streamlined.  For  most  Cl,  however,  the  report  recommends  that  Congress 
adopt  a menu  of  voluntary  incentives.39  It  also  recommends  limitations  on  liability  for  entities  that 
comply.  S.  2105,  S.  3414,  and  the  White  House  Proposal  would  also  limit  liability  for  entities  in 
compliance. 

The  subcommittee  version  of  H.R.  367440  would  have  amended  the  HSAto  require  the  Secretary 
of  Homeland  Security  to  perform  continuous  risk  assessments  of  Cl  for  inclusion  annually  in  the 
National  Infrastructure  Protection  Plan.41  It  would  also  have  required  relevant  federal  regulatory 
agencies  to  review  cybersecurity  regulations  for  covered  Cl  (as  determined  by  the  Secretary42) 
and  fill  any  gaps  using  a collection  of  recognized  consensus  standards,  where  applicable,  and  to 
work  with  NIST  to  develop  such  standards  where  necessary.  It  would  have  prohibited  additional 
regulatory  authority  beyond  the  collected  standards. 

The  full-committee  version  of  H.R.  3 6 744  ’ would  amend  the  HSA  in  a substantially  different  way 
from  the  subcommittee  version.  It  would  permit  the  Secretary  to  engage  in  risk  assessments  and 
other  protective  activities  with  respect  to  privately  held  Cl  only  upon  request  by  owners  and 
operators.  It  would  require  the  Secretary  to  develop  a cybersecurity  strategy  for  Cl  systems  and 
stipulates  that  the  bill  would  not  provide  additional  authority  to  DHS  over  federal  or  nonfederal 
entities. 

S.  2151  and  S.  3342  do  not  contain  specific  provisions  for  protection  of  Cl  similar  to  those  in  the 
proposals  discussed  above.  However,  they  would  provide  criminal  penalties  for  damage  to  Cl 
computers,  and,  like  the  proposals  discussed  above,  they  contain  information  sharing  provisions 
that  would  be  useful  in  Cl  protection. 

Information  Sharing 

Barriers  to  the  sharing  of  information  on  threats,  attacks,  vulnerabilities,  and  other  aspects  of 
cybersecurity — both  within  and  across  sectors — have  long  been  considered  by  many  to  be  a 
significant  hindrance  to  effective  protection  of  information  systems,  especially  those  associated 
with  Cl.44  Examples  have  included  legal  barriers,  concerns  about  liability  and  misuse,  protection 


39  Among  the  possibilities  discussed  are  tying  adoption  of  standards  to  incentives  such  as  grants  and  streamlined 
regulation,  using  tax  credits,  and  facilitating  the  development  of  a cybersecurity  insurance  market. 

40  This  is  the  version  approved  by  voice  vote  by  the  Subcommittee  on  Cybersecurity,  Infrastructure  Protection,  and 
Security  Technologies  of  the  House  Committee  on  Homeland  Security  on  February  1,  2012,  and  forwarded  to  the  foil 
committee. 

41  See  Department  of  Homeland  Security,  National  Infrastructure  Protection  Plan,  2009,  http://www.dhs.gov/xlibrary/ 
as  sets/NIPPP  lan  .pdf. 

42  The  criteria  in  the  subcommittee  version  of  H.R.  3674  are  generally  similar  to  those  in  S.  2105  and  the  White  House 
Proposal  in  that  they  focus  on  entities  for  which  successful  cyberattack  could  have  major  negative  impacts.  The 
definitions  in  the  three  legislative  proposals  differ  somewhat  in  emphasis  and  specificity. 

43  This  is  the  version  ordered  reported  by  the  Committee  on  Homeland  Security  on  April  18,  2012. 

44  See,  for  example.  The  Markle  Foundation  Task  Force  on  National  Security  in  the  Information  Age,  Nation  At  Risk: 
Policy  Makers  Need  Better  Information  to  Protect  the  Country,  March  2009,  http://www.markle.org/ 
downloadable_assets/20090304_mtf_report.pdf;  CSIS  Commission  on  Cybersecurity  for  the  44th  Presidency, 
Cybersecurity  Two  Years  Later,  January  2011,  http://csis.org/files/publication/ 

1101 28__Lewis_CybersecurityTwoY  earsLater_Web.pdf. 
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of  trade  secrets  and  other  proprietary  business  information,  and  institutional  and  cultural 
factors — for  example,  the  traditional  approach  to  security  tends  to  emphasize  secrecy  and 
confidentiality,  which  would  necessarily  impede  sharing  of  information. 

Proposals  to  reduce  or  remove  such  barriers,  including  provisions  in  bills  in  Table  1,  have  raised 
concerns,45  some  of  which  are  related  to  the  purpose  of  barriers  that  currently  impede  sharing. 
Examples  include  risks  to  individual  privacy  and  even  free  speech  and  other  rights,  use  of 
information  for  purposes  other  than  cybersecurity,  such  as  unrelated  government  regulatory 
actions,  commercial  exploitation  of  personal  information,  or  anticompetitive  collusion  among 
businesses  that  would  currently  violate  federal  law  (see  “Antitrust  Laws  and  Section  5 of  the 
Federal  Trade  Commission  Act”). 

Seven  proposals  in  Table  1 have  provisions  for  improving  information  sharing  and  addressing 
privacy  and  other  concerns:46 

• Create  entities  for  information  sharing.  S.  2105  and  S.  3414  would  require  the 

Secretary  of  Homeland  Security  to  establish  a process  for  designating  federal  and 
nonfederal  information  exchanges,  including  a lead  federal  exchange  responsible 
for  facilitating  information  sharing  among  federal  and  nonfederal  entities.  S. 

3414  further  specifies  that  federal  exchanges  be  in  civilian  agencies.  The  Task 
Force  Report  recommends  establishment  of  a nongovernmental  clearinghouse  for 
sharing  cybersecurity  information  among  private -sector  and  government  entities. 

The  subcommittee  version  of  H.R.  3674  would  have  created  such  an 
organization,  the  National  Information  Sharing  Organization  (NISO).47  However, 
those  provisions  were  omitted  from  the  committee  version,  which  would  instead 
provide  statutory  authorization  for  and  specify  governance  and  responsibilities  of 
the  DHS  National  Cybersecurity  and  Communications  Integration  Center 
(NCCIC),48  which  was  established  administratively  in  2009.49  S.  2151  and  S. 

3342  would  not  authorize  any  new  entities  but  list  a set  of  existing  centers  to 
which  their  information-sharing  provisions  would  apply.  The  DHS  center  that  the 


45  See,  for  example,  Greg  Nojeim,  “WH  Cybersecurity  Proposal:  Questioning  the  DHS  Collection  Center,”  Center  for 
Democracy  & Technology,  May  24,  2011,  http://cdt.org/blogs/greg-nojeim/wli-cybersecurity-proposal-questioning-dhs- 
collection-center;  and  Adriane  Lapointe,  Oversight  for  Cybersecurity  Activities  (Center  for  Strategic  and  International 
Studies,  December  7,  2010),  http://csis.org/files/publication/101202_Oversight_for_Cybersecurity_Activities.pdf.  See 
also  comments  received  by  a Department  of  Commerce  task  force  (available  at  http://www.nist.gov/itl/ 
cybersecnoi.cfm)  in  conjunction  with  development  of  this  report:  Internet  Policy  Task  Force,  Cybersecurity, 

Innovation,  and  the  Internet  Economy  (Department  of  Commerce,  June  2011),  http://www.nist.gov/itl/upload/ 
Cybersecurity_Green-Paper_FinalVersion.pdf.  See  also  footnote  21. 

46  H.R.  3674  would  address  the  issue  by  amending  the  HSA  and  H.R.  3523  by  amending  the  National  Security  Act  of 
1947.  The  other  proposals  do  not  couch  their  provisions  as  amendments  to  current  law. 

4 House  Committee  on  Homeland  Security,  Subcommittee  on  Cybersecurity,  Infrastructure  Protection,  and  Security 
Technologies,  "Hearing  on  Draft  Legislative  Proposal  on  Cybersecurity,”  2011,  http://homeland. house.gov/hearing/ 
subcommittee-liearing-liearing-draft-legislative-proposal-cybersecurity. 

4S  Department  of  Homeland  Security,  "National  Cybersecurity  and  Communications  Integration  Center”,  December  6, 
2011,  http://www.dhs.gov/files/programs/nccic.slitm. 

49  Department  of  Homeland  Security  Office  of  Inspector  General,  “Secretary  Napolitano  Opens  New  National 
Cybersecurity  and  Communications  Integration  Center,”  Press  Release,  October  30,  2009,  http://www.dlis.gov/ynews/ 
releases/pr_1256914923094.slitm.  The  subcommittee  version  of  H.R.  3476  would  also  have  provided  statutory 
authority  for  NCCIC,  but  would  have  given  it  somewhat  different  responsibilities. 
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White  House  Proposal  would  establish  (see  “DHS  Authorities  for  Protection  of 
Federal  Systems”)  would  have  information  sharing  as  one  of  its  responsibilities. 

• Establish  provisions  for  sharing  classified  information.  The  Task  Force  Report, 
H.R.  3523,  S.  2105,  S.  2151,  S.  3342,  and  S.  3414  would  establish  procedures  to 
permit  sharing  of  classified  cybersecurity  information  with  private-sector  entities 
that  meet  specific  criteria. 

• Establish  authority  for  information  sharing  by  and  with  private-sector  entities. 

- H.R.  3523  would  permit  cybersecurity  providers  or  self-protected  entities  to 
share  threat  information  with  other  designated  entities,  notwithstanding  any 
other  provision  of  law.  Federal  agencies  receiving  such  information  would  be 
required  to  share  it  with  NCC1C,  which  could  share  it  with  other  federal 
entities  upon  request  of  the  provider  of  the  information. 

- S.  2105  would  expressly  permit  disclosure  of  lawfully  obtained  threat 
indicators  among  private-sector  entities,  with  the  exchanges  the  bill  would 
establish,  and  by  federal  entities  with  other  relevant  federal  or  private 
entities,  notwithstanding  any  other  provision  of  law.  S.  3414  is  similar  but 
restricts  disclosure  by  federal  entities  to  cybersecurity  and  law-enforcement 
puiposes. 

- S.  2151  and  S.  3342  would  permit  nonfederal  entities  to  share  threat 
information  with  cybersecurity  centers  or  with  other  nonfederal  entities  for 
the  purpose  of  addressing  threats.  S.  2151  would  require  providers  of 
communications,  remote  computing,  and  cybersecurity  services  under  federal 
contracts  to  share  with  cybersecurity  centers,  through  the  contracting  agency, 
any  threat  information  related  to  the  contract.  S.  3342  would  instead  require  a 
coordinated  process  through  which  providers  would  inform  federal  entities  of 
significant  incidents  with  impacts  on  their  missions,  with  the  entity  reporting 
the  information  to  a cybersecurity  center.  S.  2151  would  permit  centers  to 
disclose  threat  information  for  specified  purposes  to  federal  entities,  service 
providers,  and  nonfederal  government  entities,  whereas  S.  3342  would  not 
permit  centers  to  disclose  such  information  to  service  providers. 

- The  White  House  Proposal  would  permit  nonfederal  entities  to  disclose 
information  to  a designated  cybersecurity  center  for  puiposes  of  protection 
from  cybersecurity  threats  and  would  permit  federal  agencies  to  disclose 
such  information  to  relevant  private  entities. 

• Limit  disclosure  of  shared  information.  The  Task  Force  Report,  the  subcommittee 
version  of  H.R.  3674,  H.R.  3523,  S.  2105,  S.  2151,  S.  3342,  S.  3414,  and  the 
White  House  Proposal  would  all  provide  exemptions  from  the  “Freedom  of 
Information  Act  (FOIA)”  for  cybersecurity  information.50  All  would  also  restrict 
disclosure  in  other  ways,  such  as  expressly  requiring  that  it  be  for  specified 
cybersecurity  purposes,  although  specific  requirements  vary. 

• Limit  government  use  of  information  to  specified  purposes.  The  Task  Force 
Report,  H.R.  3523,  H.R.  3674,  S.  2151,  and  S.  3342  would  expressly  restrict  or 


50  The  committee  version  of  H.R.  3674  includes  a FOIA  exemption  by  reference  to  the  amendments  to  Title  XI  of  the 
“National  Security  Act  of  1947”  that  would  be  made  by  H.R.  3523. 
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prohibit  regulatory  use  of  shared  information.  S.  2105,  S.  3414,  and  the  White 
House  Proposal  would  limit  use  of  acquired  information  to  cybersecurity  or  law 
enforcement  purposes.  In  addition  to  those  uses,  H.R.  3523,  S.  2151,  and  S.  3342 
would  permit  use  for  national  security,  and  H.R.  3523  and  S.  3414  would  add 
protection  from  physical  haim  and,  for  minors,  from  sexual  exploitation  and 
threats  to  physical  safety. 

• Limit  liability  for  information  sharing.  The  Task  Force  Report,  H.R.  3523,  S. 
2105,  S.  2151,  S.  3342,  S.  3414,  and  the  White  House  Proposal  would  protect 
nonfederal  entities  from  liability  for  information  shared  or  other  specified  actions 
taken  in  accordance  with  the  provisions  in  the  legislative  proposal.  H.R.  3523 
would  also  provide  for  limited  liability  for  federal  violations  of  restrictions  in  the 
bill  on  disclosure,  use,  and  protection  of  shared  information,  and  S.  3414  for 
violations  of  title  provisions  or  related  regulations.  The  subcommittee  version  of 
H.R.  3674  would  have  peimitted  actual  and  punitive  civil  damages  against 
persons  who  disclose  or  use  for  purposes  other  than  cybersecurity  the 
information  that  is  disclosed  to  private  entities. 

• Provide  privacy  and  civil  liberties  protections.  All  five  proposals  call  for  privacy 
protections.  The  Task  Force  Report  recommends  that  in  providing  safe  harbors 
for  entities  involved  in  infoimation  sharing,  “the  protection  of  personal  privacy 
should  be  at  the  forefront”  (p.  7).  It  also  recommends  that  the  proposed 
nongovernmental  clearinghouse  have  a privacy  board. 

- H.R.  3523  would  peimit  the  federal  government  to  “undertake  reasonable 
efforts  to  limit  the  impact  on  privacy  and  civil  liberties”  of  shared 
information  and  require  the  Inspector  General  of  the  Intelligence  Community 
to  include,  in  an  annual  report  to  Congress,  metrics  on  impacts  of  sharing  on 
privacy  and  civil  liberties.51  It  would  also  require  “appropriate” 
anonymization  of  shared  information.52  In  addition,  the  bill  would  prohibit 
federal  use  of  identifying  infoimation  from  specified  sets  of  library,  sales, 
tax,  education,  or  medical  records. 

- The  subcommittee  version  of  H.R.  3674  would  require  that  two  members  of 
the  NISO  board  of  directors  be  representatives  from  the  privacy  and  civil 
liberties  community  (the  committee  version),  that  the  NISO  charter  and 
procedures  include  privacy  and  civil  liberties  protections,  and  that 
anonymization  procedures,  such  as  removal  of  personally  identifiable 
information,  be  used  for  shared  infoimation.  The  committee  version  would 
create  a similar  board  for  the  NCC1C  and  would  require  ongoing  review  by 
the  DHS  privacy  officer  of  departmental  policies  and  activities. 

- S.  2105  and  S.  3414  would  require  the  director  of  the  DHS  center  to  appoint 
a privacy  officer,  create  guidelines  for  protection  of  privacy  and  civil 
liberties,  and  ensure  that  center  activities  comply  with  federal  requirements. 
The  bill  would  also  require  the  Secretary  of  Homeland  Security  to  develop 
policies  and  procedures  to  minimize  the  impacts  of  information  sharing 
involving  the  exchanges  that  would  be  established  by  the  bill.  It  would 


51  Section  1 104(c)(7)  of  the  National  Security  Act  as  added  by  Section  2(a)  of  the  bill. 

52  Section  1 104(b)(3)(A)  as  added. 
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require  three  relevant  reports:  (1)  an  annual  joint  report  to  Congress  by  the 
DHS  and  Department  of  Justice  privacy  officers  assessing  impacts,  (2)  a 
report  from  the  Privacy  and  Civil  Liberties  Oversight  Board  ' assessing 
impacts  and  recommending  statutory  changes;  and  (3)  a joint  report  by  the 
Secretary  of  Homeland  Security,  the  Director  of  National  Intelligence,  the 
Attorney  General,  and  the  Secretary  of  Defense  that  would  include  disclosure 
of  significant  noncompliance  by  nonfederal  entities  with  the  requirements  of 
the  information  sharing  title  of  the  bill,  especially  with  respect  to  privacy  and 
civil  liberties,  with  recommendations  for  any  statutory  changes  (S.  2105)  or 
that  identifies  changes  in  the  information  technology  environment  that 
challenge  the  adequacy  of  the  law  (S.  3414). 

- S.  2151  would  require  the  heads  of  agencies  with  cybersecurity  centers  to 
jointly  develop  procedures  for  sharing  information.  Those  would  consider  the 
need  for  protection  of  privacy  and  civil  liberties  through  anonymization  and 
other  means.  S.  3342  would  in  addition  permit  efforts  to  limit  impacts  from 
sharing  on  privacy  and  civil  liberties.  Both  bills  would  also  require  biennial 
joint  implementation  reports  from  the  agency  heads,  including  review  of  how 
shared  information  may  impact  privacy  and  civil  liberties,  the  adequacy  of 
steps  to  reduce  such  impact,  and  any  recommended  changes  to  authorities. 

- The  White  House  Proposal  would  require  that  “reasonable  efforts”  be  taken 
“to  remove  information  that  can  be  used  to  identify  specific  persons 
unrelated  to  the  cybersecurity  threat.”54  It  would  add  a new  Sec.  248  to  the 
HSA  on  privacy  and  civil  liberties  relating  to  cybersecurity.  It  would  require 
the  Secretary  of  Homeland  Security,  in  consultation  with  privacy  and  civil 
liberties  experts,  to  develop  and  periodically  review  policies  and  procedures 
on  information  access,  disclosure,  and  use.  The  policies  and  procedures 
would  be  required  to  minimize  impacts  on  privacy  and  civil  liberties, 
safeguard  identities,  protect  confidentiality  as  much  as  possible,  and  provide 
limits  on  access,  use,  and  disclosure  of  information.  Agency  heads  would  be 
required  to  develop  policies  for  handling  information  associated  with  specific 
persons,  to  establish  programs  to  monitor  and  oversee  compliance  with  DHS 
and  agency  policies,  and  to  develop  and  enforce  sanctions  for  violations  by 
agency  personnel.  The  above  policies  and  procedures  would  be  subject  to 
review  and  approval  by  the  Attorney  General.  Like  S.  2105,  the  Wlute  House 
Proposal  would  require  an  annual  joint  report  to  Congress  by  the  DHS  and 
Department  of  Justice  privacy  officers  assessing  impacts,  and  a report  from 
the  Privacy  and  Civil  Liberties  Oversight  Board  assessing  impacts  and 
recommending  statutory  changes. 


53  The  board  was  established  by  the  “Intelligence  Reform  and  Terrorism  Prevention  Act  of  2004  (IRTPA).” 

54  Section  245(a)(1)  as  added  to  the  HSA  by  the  proposal. 


Congressional  Research  Service 


18 


Federal  Laws  Relating  to  Cybersecurity:  Discussion  of  Proposed  Revisions 


Other  Topics 

Cybercrime  Law.  S.  2151,  S.  3342,  the  White  House  Proposal  and  the  Task  Force  Report  would 
each  revise  current  criminal  statutes  relating  to  cybersecurity,  including  criminalizing  the 
damaging  of  computers  associated  with  critical  infrastructure  (Cl).55 

Data  Breach  Notification.  The  White  House  Proposal  and  the  Task  Force  Report  would  also  both 
set  federal  requirements  for  data  breach  notification — public  notification  in  cases  where  a security 
breach  poses  significant  risks  of  exposure  of  sensitive  personal  information.  For  more 
information  on  this  issue,  including  discussion  of  bills  that  would  address  it,  see  CRS  Report 
R42474,  Selected  Federal  Data  Security  Breach  Legislation,  by  Kathleen  Ann  Ruane  and  CRS 
Report  R42475,  Data  Security  Breach  Notification  Laws,  by  Gina  Stevens. 

Some  proposals  address  additional  topics  not  discussed  in  this  overview.  For  example,  FI.R.  2096 
would  require  NIST  to  develop  a strategy  for  federal  use  of  cloud  computing.  The  White  House 
Proposal  would  restrict  the  power  of  state  and  local  governments  to  require  business  entities  to 
locate  data  centers  within  the  state  or  locality.  To  the  extent  that  such  topics  are  addressed  by 
amending  current  statutes,  they  are  discussed  below  under  the  relevant  laws. 


Discussion  of  Proposed  Revisions  of 
Current  Statutes 

To  identify  laws  that  might  be  considered  candidates  for  revision,  CRS  conducted  a broad  search, 
consulting  with  various  experts  and  examining  various  sources,  including  legislative  proposals  in 
the  1 1 1th  and  1 12th  Congresses.  That  search  yielded  more  than  50  potentially  relevant  statutes  (see 
Table  2),  of  which  proposed  revisions  were  identified  for  3 1 ,56  For  each  of  the  latter  group,  the 
report  contains  an  entry  that  includes 

• the  popular  name  of  the  statute;57 

• the  public  law  number,  along  with  Statutes-at-Large  and  relevant  U.S.  Code 
citations;58 

• a brief  description  of  the  relevance  of  the  statute  for  cybersecurity;59  and 


55  For  discussion  of  federal  cybercrime  laws,  see  CRS  Report  97-1025,  Cybercrime:  An  Over-view  of  the  Federal 
Computer  Fraud  and  Abuse  Statute  and  Related  Federal  Criminal  Laws,  by  Charles  Doyle;  and  CRS  Report  R40599, 
Identity  Theft:  Trends  and  Issues,  by  Kristin  M.  Finklea.  See  also  the  discussions  of  criminal  statutes  in  this  report. 

56  There  are  27  entries,  but  the  one  on  antitrust  laws  consists  of  four  different  statutes.  Neither  of  the  two  lists  is 
intended  to  be  definitive  or  exhaustive.  For  example,  some  analysts  may  argue  that  more  agency  authorization  statutes 
should  be  included,  or,  alternatively,  that  some  of  the  statutes  that  are  included  are  not  of  significant  relevance. 

57  This  is  the  name  by  which  the  statute  is  commonly  known. 

5S  The  public  law  (P.L.)  and  United  States  Statutes  at  Large  (Stat.)  citations  refer  to  the  original  law  to  which  the 
popular  name  currently  applies.  Laws  enacted  before  1957  generally  do  not  have  public  law  numbers  but  chapter 
numbers  (Ch.)  instead.  U.S.  Code  (U.S.C.)  citations  refer  to  the  codified  law,  including  any  amendments,  of  those 
provisions  deemed  most  relevant  for  cybersecurity  as  discussed  in  the  text  under  that  law  (see  also  footnote  59).  For 
more  information  about  citation  fonns,  see  Law  Library  of  Congress,  “Federal  Statutes,”  April  4,  201 1, 
http://www.loc.gov/law/help/statutes.php.  More  complete  cross-references  of  public  laws  to  corresponding  provisions 
of  U.S.  Code  can  be  found  in  classification  tables  (see,  for  example,  U.S.  House  of  Representatives,  Office  of  the  Law 
Revision  Counsel,  “U.S.  Code  Classification  Tables,”  2011,  http://uscode.house.gov/classification/tables.shtml). 
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• discussion  of  potential  revisions  or  updates  that  have  been  suggested.60 

Entries  are  in  chronological  order.61  The  statutes  discussed  include  only  those  for  which  CRS 
identified  specific  proposals  to  revise  them  from  various  observers  and  in  public  sources.62  It  does 
not  include  proposals  for  new  provisions  of  federal  law  that  were  not  identified  explicitly  as 
revisions  of  current  named  statutes. 

One  example  is  the  recommendations  for  statutory  language  on  data-breach  notification  in  the 
White  House  Proposal  and  the  Task  Force  Report.  Neither  those  two  documents,  nor  the  bills  on 
the  issue  that  have  been  introduced  in  the  1 12th  Congress,63  specify  named  statutes  to  be  revised. 
One  of  those  bills,  S.  1151,  would  revise  18  U.S.C.  Chapter  47  (Fraud  and  False  Statements)  by 
adding  a new  section  at  the  end,  but  that  provision  does  not  modify  any  named  statute  specified 
either  in  the  bill  or  in  the  U.S.  Code.  It  is  therefore  not  included  in  the  discussion  below. 

However,  the  bill  would  also  revise  18  U.S.C.  §1030,  which  was  added  by  the  “Counterfeit 
Access  Device  and  Computer  Fraud  and  Abuse  Act  of  1984,”  so  that  provision  is  discussed. 

Another  example  is  bills  with  provisions  clearly  related  to  a named  statute,  but  that  do  not 
explicitly  modify  that  statute.  One  example  from  the  111th  Congress  is  H.R.  5590,  which  had 
cybersecurity  provisions  that  might  be  interpreted  as  modifications  to  the  HSAbut  were  not  cited 
as  such.  Such  provisions  are  not  discussed  in  this  report  because  their  effects  on  specific  statutes 
could  not  be  determined  with  certainty. 

The  approach  taken  in  this  report  of  focusing  on  statutes  by  their  popular  names  is  useful  in  many 
cases,  but  it  has  some  significant  limitations,  particularly  with  respect  to  the  U.S.  Code.  Some 
laws,  such  as  the  USA  Patriot  Act  of  2001  (see  Table  2),  may  be  classified  across  many  titles  and 
sections,64  which  may  make  analysis  more  challenging.  Fortunately,  that  did  not  prove  to  be  a 
significant  concern  for  this  report. 

However,  lack  of  correspondence  between  named  laws  and  proposed  modification  of  provisions 
in  the  U.S.  Code,  described  above,  may  in  some  cases  result  in  significant  gaps  in  coverage  of 
relevant  provisions  of  law  relating  to  cybersecurity  by  an  approach  such  as  the  one  taken  here. 
Therefore,  the  analysis  presented  here  should  not  be  regarded  as  complete. 


(...continued) 

59  In  some  cases,  such  as  the  Cybersecurity  Research  And  Development  Act,  P.L.  107-305,  the  entire  statute  is  relevant 
to  cybersecurity.  In  others,  such  as  the  Omnibus  Crime  Control  and  Safe  Streets  Act  of  1968,  P.L.  90-351,  the  statute 
has  a broader  focus  and  only  the  provisions  relevant  to  the  text  are  cited  and  described.  However,  given  that 
cybersecurity  is  not  a precise  concept,  there  may  in  some  cases  be  legitimate  disagreements  among  experts  about  which 
provisions  are  relevant.  Therefore,  the  descriptions  and  U.S.  Code  citations  cannot  be  considered  definitive. 

60  The  discussion  is  provided  for  purposes  of  infonnation  only.  CRS  does  not  propose  legislation  or  take  positions  or 
make  recommendations  on  legislative  proposals  or  issues.  Contributing  CRS  staff  include  Patricia  Moloney  Figliola, 
Kristin  M.  Finklea,  Eric  A.  Fischer,  Wendy  R.  Ginsberg,  John  Rollins,  Kathleen  Ann  Ruane,  Gina  Stevens,  Rita  Tehan, 
and  Catherine  A.  Theohary.  Entries  for  which  no  contributor  is  indicated  were  written  by  Eric  A.  Fischer. 

61  The  order  is  by  date  of  enactment  of  the  earliest  relevant  statute,  as  assessed  by  CRS.  This  organization,  rather  than 
alternatives  such  as  by  topic  or  U.S.  Code  title,  was  chosen  because  it  provides  the  best  view  of  the  evolution  of 
legislation  in  this  area. 

62  Sources  are  cited  where  they  could  be  specifically  identified. 

63  Data-breach  notification  is  also  covered  by  H.R.  1528,  H.R.  1707,  H.R.  1841,  H.R.  2577,  S.  1151,  S.  1207,  S.  1480, 
andS.  1535. 

64  This  act  was  classified  to  15  titles. 
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Posse  Comitatus  Act  of  1879 

Ch.  263,20  Stat.  152. 

18  U.S.C.  §1385.65 

Major  Relevant  Provisions 

• Restricts  the  use  of  military  forces  in  civilian  law  enforcement  within  the  United 
States,  unless  it  is  within  a federal  government  facility.66 

• Courts  have  ruled  that  violations  of  the  act  occur  when  civilian  law  enforcement 
makes  “direct  active  use”  of  military  investigators,  when  use  of  the  military 
pervades  the  activities  of  the  civilian  officials,  or  when  the  military  is  used  so  as 
to  subject  citizens  to  military  power  that  is  regulatory,  prescriptive,  or 
compulsory  in  nature. 

Possible  Updates 

• Some  observers  claim  that  the  act  prevents  the  military  from  cooperating  on 
cybersecurity  with  civil  agencies  that  may  lack  the  resident  expertise  and 
capabilities  of  the  military  and  DOD.67  In  addition,  it  may  sometimes  be  difficult 
to  distinguish  a criminal  cyber  attack  from  one  involving  national  defense, 
especially  if  the  attack  is  on  a component  of  critical  infrastructure. 

• Some  have  therefore  proposed  that  the  act  be  amended  to  clarify  when  U.S. 
military  can  operate  domestically  regarding  cyber  threats  to  such  infrastructure, 
most  of  which  is  privately  owned.  Others  maintain  that  no  revision  is  needed 
because  the  President  has  the  authority  under  current  law  to  direct  the  military  to 
support  civil  authorities  in  the  event  of  a domestic  disaster. 

• A memorandum  of  agreement  signed  between  DHS  and  DOD  may  increase  the 
likelihood  that  the  military  would  play  a significant  role  in  responding  to  a major 
cyber  attack  on  U.S.  information  networks.68  However,  some  argue  that  the 
defense  of  U.S.  information  systems  should  be  solely  the  purview  of  civilian 
agencies  such  as  DHS  and  the  FBI,  because  involvement  of  the  military  creates 
unacceptable  privacy  and  civil  liberties  concerns. 


65  Prepared  by  Catherine  A.  Theohary,  Analyst  in  National  Security  Policy  and  Information  Operations 
(ctheohary@crs.loc.gov,  7-0844). 

66  For  further  discussion,  see  CRS  Report  RS22266,  The  Use  of  Federal  Troops  for  Disaster  Assistance:  Legal  Issues, 
by  Jennifer  K.  Elsea  and  R.  Chuck  Mason. 

hl  For  example,  see  Jeffrey  K.  Toomer,  “A  Strategic  View  of  Homeland  Security:  Rclooking  the  Posse  Comitatus  Act 
and  DOD’s  Role  in  Homeland  Security”  (monograph,  School  of  Advanced  Military  Studies,  United  States  Army 
Command  and  General  Staff  College,  Fort  Leavenworth,  Kansas,  July  1 1,  2002),  http://www.dtic.mil/cgi-bin/ 
GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA403866. 

6S  Department  of  Homeland  Security  and  Department  of  Defense,  “Regarding  Cybersecurity.”  The  MOA  provides 
tenns  for  sharing  of  personnel,  equipment,  and  facilities  by  the  two  agencies  to  improve  planning,  capabilities,  and 
mission  activities  in  national  cybersecurity  efforts. 
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Antitrust  Laws  and  Section  5 of  the  Federal  Trade  Commission  Act 

Sherman  Antitrust  Act 

Ch.  647,  26  Stat.  209. 

15  U.S.C.  §§1-7. 

Wilson  Tariff  Act 

Ch.  349,  §73,  28  Stat.  570. 

15  U.S.C.  §§8-11. 

Clayton  Act 

P.L.  63-212,  38  Stat.  730. 

15  U.S.C.  §§12-27. 

Section  5 of  the  Federal  Trade  Commission  Act  (FTC  Act) 

Ch.  311,  §5,  38  Stat.  719. 

15  U.S.C.  §45(a).69 

When  referred  to  in  statute,  the  term  “antitrust  laws”  generally  means  the  three  laws  listed  in  1 5 
U.S.C.  § 12(a),  which  are  the  first  three  statutes  listed  above.  Also  frequently  included  in  the  list 
of  antitrust  laws  is  Section  5 of  the  FTC  Act,  which  prohibits  unfair  and  deceptive  trade  practices. 
Section  5 is  included  because  courts  have  found  that  unfair  competition  includes,  at  the  least, 
activity  that  would  violate  the  Sherman  or  Clayton  Acts.70 

Major  Relevant  Provisions 

• The  antitrust  laws  as  well  as  Section  5 of  the  FTC  Act  are  a collection  of  statutes 
that  forbid  combinations  or  agreements  that  unreasonably  restrain  trade.71 
Whenever  competitors  in  a given  market  share  information,  antitrust  concerns 
may  be  raised  due  to  the  risk  of  collusion  among  competitors.72 

Possible  Updates 

Information  sharing  agreements  between  private  corporations  may  be  subject  to  antitrust  scrutiny, 
because  the  sharing  of  information  among  competitors  could  create  opportunities  for 
collaboration  with  the  goal  of  restraining  trade.73  Flowever,  information  sharing  agreements  to 


69  Prepared  by  Kathleen  Ann  Ruane,  Legislative  Attorney  (kruane@crs.loc.gov,  7-9135). 

70  See,  e.g.,  United  States  v.  American  Airlines  Inc.,  743  F.2d  1 1 14  (5th  Cir.  1984);  FTC  v.  Motion  Picture  Advertising 
Serv.  Co.,  344  U.S.  392,  394-95  (1953);  FTC  v.  Cement  Institute,  333  U.S.  683,  694  (1948);  Fashion  Originators’ 
Guild  v.  FTC,  312  U.S.  457,  463-64  (1941). 

71  See  Standard  Oil  Co.  v.  U.S.,221  U.S.  1 (1911). 

12  See  Federal  Trade  Commission  and  Department  of  Justice,  Antitrust  Guidelines  for  Collaborations  among 
Competitors , April  2000,  http://www.ftc.gov/os/2000/04/ftcdojguidelines.pdf. 

73  Ibid. 
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combat  cybersecurity  may  be  in  compliance  with  antitrust  principles  so  long  as  their  goals  are  to 
combat  cyber  threats  rather  than  restrain  competition.74 

Some  may  argue  that  in  order  to  develop  effective  and  efficient  information  sharing  agreements  to 
combat  cybersecurity  threats,  an  explicit  exemption  from  the  antitrust  laws  for  these  agreements 
is  necessary.  Congress  has  previously  proposed  such  an  exemption.  For  example,  H.R.  2435 
(107th  Congress)  would  have  granted  an  express  exemption  from  the  antitrust  laws  and  from 
Section  5 of  the  FTC  Act  to  persons  making  and  implementing  agreements  entered  into  solely  for 
the  purpose  of  “facilitating  the  correction  or  avoidance  of  a cyber  security-related  problem  or 
communication  of  or  disclosing  information  to  help  correct  or  avoid  the  effects  of  a cyber 
security-related  problem.”  Such  an  exemption,  if  enacted  by  Congress,  would  allow  market 
participants  to  engage  in  information  sharing  for  the  purposes  of  combating  cybersecurity  threats 
without  concern  for  implicating  the  antitrust  laws.  In  the  1 12th  Congress,  the  Task  Force  Report 
states  that  an  antitrust  exemption  might  be  required.75  H.R.  3523  does  not  specifically  mention 
antitrust  laws,  but  it  permits  sharing  of  cybersecurity  information  among  private-sector  entities 
“notwithstanding  any  other  provision  of  law.”  S.  2151  and  S.  3342  would  expressly  exempt  from 
antitrust  laws  the  exchange  among  private  entities  of  information  relating  to  cybersecurity  threats. 

Others  may  argue  that  the  antitrust  laws  are  flexible  in  nature,  particularly  as  they  relate  to 
information  sharing  agreements,  and  the  laws  are  flexibly  applied  by  the  agencies  of 
jurisdiction.76  This  flexible  nature  may  obviate  the  need  for  express  exemptions  from  the 
application  of  the  laws,  while  keeping  the  antitrust  agencies  involved  in  and  aware  of  the 
information  sharing  agreements  companies  are  making.77  The  agencies  have  expressed  a view 
that  if  competitors  are  collaborating  for  reasons  that  do  not  restrain  trade  or  hamper  competition, 
and  safeguards  are  in  place  to  prevent  such  restraint,  the  antitrust  laws  should  not  hinder  such 
collaboration.78  The  Department  of  Justice  (DOJ)  currently  allows  companies  wishing  to  create 
information  sharing  arrangements  for  permissible  and  procompetitive  purposes  to  submit  their 
plans  for  collaboration  to  the  agency.79  The  agency  then  reviews  the  plans  and,  if  the  plans  are 
approved,  issues  what  is  known  as  a business  review  letter.80  The  business  review  letter  will 
generally  state  that  DOJ  does  not  intend  to  enforce  the  antitrust  laws  against  the  proposed 
collaboration.  DOJ  has  issued  business  review  letters  to  companies  who  have  developed  plans  to 
share  information  to  combat  cybersecurity  threats.81 


74  Ibid,  (noting  that  many  collaborations  among  competitors  are  “not  only  benign,  but  procompetitive”). 

75  House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  1 1 . 

76  See  Amitai  Aviram,  “Network  Responses  to  Network  Threats,”  in  The  Law  and  Economics  of  Cyber  security,  ed. 
Mark  Grady  and  Francesco  Parisi  (New  York:  Cambridge  University  Press,  2006),  157-158. 

77  See  Federal  Trade  Commission  and  Department  of  Justice,  Antitrust  Guidelines. 

78  Ibid. 

79  28  C.F.R.  §50.6. 

80  Federal  Trade  Commission  and  Department  of  Justice,  Antitrust  Guidelines. 

81  Joel  I.  Klein,  Assistant  Attorney  General,  to  Barbara  Greenspan,  Associate  General  Counsel,  Electric  Power  Institute, 
Inc.,  October  2,  2000,  http://www.justice.gov/atr/public/busreview/6614.htm. 
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National  Institute  of  Standards  and  Technology  Act 

Ch.  872,  31  Stat.  1449. 

15  U.S.C.  §271  etseq. 

Major  Relevant  Provisions 

The  original  act  gave  the  agency  responsibilities  relating  to  technical  standards.  Later 
amendments  added  more  generally  relevant  provisions  and,  more  specifically, 

• Identified  relevant  research  topics,  among  them  computer  and  telecommunication 
systems,  including  information  security  and  control  systems.82 

• Established  a computer  standards  program  at  the  National  Institute  of  Standards 
and  Technology  (NIST).83 

Possible  Updates 

Despite  NIST’s  current  authority  to  conduct  research  on  computers  and  information  security, 
some  concerns  have  been  raised  about  whether  those  activities  should  be  enhanced  in  light  of  the 
evolving  threat  environment  for  cybersecurity.  In  the  1 1 1th  Congress,  H.R.  406 1 , which  was 
passed  by  the  House,  would  have  required  NIST  to  conduct  intramural  research  on  identity 
management  and  the  security  of  information  systems,  networks,  and  industrial  control  systems.  A 
similar  bill,  H.R.  2096,  is  being  considered  by  the  1 12th  Congress. 


Federal  Power  Act 

Ch.  285,41  Stat.  1063. 

16  U.S.C.  §791a  et  seq.,  §824  et  seq.84 

Major  Relevant  Provisions 

• Established  the  Federal  Energy  Regulatory  Commission  (FERC)  and  gave  it 
regulatory  authority  over  interstate  sale  and  transmission  of  electric  power. 

Possible  Updates 

Concerns  about  the  vulnerability  of  the  electric  grid  to  cyber  attack  have  increased  substantially 
over  the  last  several  years.85  Although  the  Energy  Policy  Act  of  2005  (P.L.  109-58)  gave  FERC 


82  15  U.S.C.  §272,  as  amended  by  the  Technology  Competitiveness  Act,  Subtitle  B of  Title  V of  P.L.  100-418,  the 
Omnibus  Trade  and  Competitiveness  Act  of  1988,  which  also  changed  the  name  of  the  agency  from  the  National 
Bureau  of  Standards  to  the  National  Institute  of  Standards  and  Technology,  and  changed  the  name  of  the  act  to  the 
National  Institute  of  Standards  and  Technology  Act. 

83  15  U.S.C.  §§278g-3  and  -4,  as  added  by  the  Computer  Security  Act  of  1987.  See  also  “Federal  Information  Security 
Management  Act  of  2002  (FISMA).” 

84  The  law  was  originally  enacted  in  1920  as  the  Federal  Water  Power  Act  but  was  renamed  the  Federal  Power  Act  in 
1935  (49  Stat.  863,  16  U.S.C.  §791a). 

85  See,  for  example,  H.Rept.  111-493,  S.Rept.  111-331. 
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responsibility  for  developing  reliability  standards  for  power  systems,  limitations  to  that  authority 
and  to  the  usefulness  of  the  standards-development  process  to  respond  effectively  to  rapidly 
emerging  cybersecurity  threats  have  raised  concerns  about  the  need  for  enhancing  FERC’s 
authority  to  address  those  threats,  especially  in  light  of  the  development  of  smart-grid 
technology.86  Several  bills  were  introduced  in  the  1 1 1th  Congress  (H.R.  2165,  H.R.  2195,  H.R. 
5026,  S.  946,  S.  1462)  in  response.  H.R.  5026,  which  was  passed  by  the  House,  would  have 
expanded  FERC’s  jurisdiction  over  electric  infrastructure  and  authorized  FERC  to  order  actions 
by  relevant  entities  in  response  to  threats  to  cybersecurity.  In  the  1 12th  Congress,  S.  1342  would 
also  provide  expanded  cybersecurity  authorities  to  FERC,  and  H.R.  668  would  give  FERC 
emergency  authorities  in  response  to  events  causing  large-scale  disruptions  of  the  electric  grid. 


Communications  Act  of  1934 

Ch.  652,  48  Stat.  1064. 

47  U.S.C.  §151  etseq.87 

Major  Relevant  Provisions 

• Established  the  Federal  Communications  Commission  (FCC)  and  gave  it 
regulatory  authority  over  both  domestic  and  international  commercial  wired  and 
wireless  communications. 

• Provides  the  President  with  authority  in  a national  emergency  to  control  “any  or 
all  stations  or  devices  capable  of  emitting  electromagnetic  radiations,”  and  in 
case  of  war  or  threat  of  war,  to  close  “any  facility  or  station  for  wire 
communication”  (Section  706  of  the  act,  47  U.S.C.  §606). 

Possible  Updates 

Some  observers  have  proposed  that  the  act  should  be  revised  to  give  the  FCC  more  of  a role  in 
cybersecurity,  especially  given  the  growing  merging  of  information  and  communications 
technology  (1CT)  and  their  increasing  importance  in  the  U.S.  economy.  In  fact,  a number  of  other 
countries  have  more  unified  governance  of  1CT  than  the  United  States.88 

Some  controversy  exists  about  whether  the  Section  706  authorities  described  above  permit  the 
President  to  shut  down  Internet  communications  during  a war  or  national  emergency,  a power  that 
has  sometimes  been  referred  to  as  the  “Internet  kill  switch.”89  However,  there  does  not  appear  to 
be  a consensus  about  whether  in  fact  such  additional  authority  is  needed,  or,  if  it  is  not,  whether 
additional  legislation  is  needed  to  clarify  and  delimit  it. 

That  debate  became  acute  during  Senate  consideration  of  S.  773  and  S.  3480  in  the  1 1 1th 
Congress.  Those  bills  would  have  authorized  emergency  measures  by  the  President  if  the 

86  CRS  Report  R41886,  The  Smart  Grid  and  Cybersecurity — Regulatory  Policy  and  Issues,  by  Richard  J.  Campbell. 

87  See  also  “Communications  Decency  Act  of  1996.” 

88  See,  for  example,  Elgin  M.  Brunner  and  Manuel  Suter,  International  CUP  Handbook  2008/2009  (Center  for  Security 
Studies,  ETH  Zurich,  2008),  http://www.css.ethz.ch/publications/CIIP_HB_08. 

89  See  also  CRS  Report  R41674,  Terrorist  Use  of  the  Internet:  Information  Operations  in  Cyberspace,  by  Catherine  A. 
Theohary  and  John  Rollins. 
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operation  of  critical  infrastructure  were  threatened  by  cyber  attack.  A similar  provision  has  been 
proposed  in  S.  413  in  the  112th  Congress.90  This  bill  also  contains  a provision  that  would 
expressly  deny  the  federal  government  of  any  authority  to  “shut  down  the  Internet.” 


National  Security  Act  of  1947 

Ch.  343,61  Stat.  495 
50  U.S.C.  401  etseq. 

Major  Relevant  Provisions 

• Provided  the  basis  for  the  modem  organization  of  U.S.  defense  and  national 
security  by  reorganizing  military  and  intelligence  functions  in  the  federal 
government. 

• Created  the  National  Security  Council,  the  Central  Intelligence  Agency,  and  the 
position  of  Secretary  of  Defense. 

• Established  procedures  for  access  to  classified  information. 

Possible  Updates 

A broad  consensus  exists  that  a significant  barrier  to  improving  cybersecurity  is  limitations  on 
sharing  of  infomiation,  including  classified  infomiation,  about  cyber-threats  and  attacks.91  H.R. 
3523  would  address  that  concern  by  amending  the  act  to  facilitate  sharing  of  intelligence 
information  relating  to  cybersecurity,  including  classified  information,  between  federal 
intelligence  entities  and  private-sector  providers  of  cybersecurity  services,  and  to  facilitate  the 
identification  and  sharing  of  threat  infomiation  by  providers.  The  bill  also  includes  provisions  for 
protection  from  liability  for  entities  sharing  infomiation  and  exemption  from  disclosure  of  that 
information  under  the  “Freedom  of  Infomiation  Act  (FOIA).” 

See  also  “Infomiation  Sharing.” 


90  S.  413  is  largely  identical  to  S.  3480.  Both  would  provide  the  authority  for  the  emergency  measures  through  a 
revision  of  the  Homeland  Security  Act,  not  the  Communications  Act.  In  addition,  they  would  assign  the  authority  to 
implement  Section  706  to  the  head  of  a White  House  office  to  be  created  by  the  bills.  The  provision  in  S.  773  was  not 
presented  as  a revision  to  a specified  law. 

91  For  example,  the  Task  Force  Report  states,  “There  is  widespread  agreement  that  greater  sharing  of  information  is 
needed  within  industries,  among  industries,  and  between  government  and  industry  in  order  to  improve  cybersecurity 
and  to  prevent  and  respond  to  rapidly  changing  threats.  For  example,  through  intelligence  collection,  the  federal 
government  has  insights  and  capabilities  that  many  times  are  classified  but  would  be  useful  to  help  defend  private 
companies  from  cybersecurity  attacks”  (House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  10). 
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U.S.  Information  and  Educational  Exchange  Act  of  1948 
(Smith-Mundt  Act) 

Ch.  36,  62  Stat.  6. 

22  U.S.C.  §1431  et  seq.92 

Major  Relevant  Provisions 

• Restricts  the  State  Department  from  disseminating  public  diplomacy  information 
domestically  and  limits  its  authority  to  communicate  with  the  American  public  in 
general  (22  U.S.C.  § 1461-la).93  The  domestic  dissemination  provision  originally 
applied  to  the  now  defunct  U.S.  Information  Agency  (US1A),  which  was 
abolished  and  its  functions  transferred  to  the  Secretary  of  State  by  RL.  105-277 
(22  U.S.C.  §6532).94 

Possible  Updates 

Critics  maintain  that  the  law  is  a Cold  War  relic  intended  only  to  restrict  the  US1A,  which  no 
longer  exists,  from  propagandizing  Americans  with  public  diplomacy  and  information  materials 
that  were  intended  for  a foreign  audience.  Those  critics  argue  that  the  restrictions  were  created 
before  the  advent  of  the  Internet,  and  the  provisions  create  an  obsolete  barrier  that  serves  only  to 
prevent  the  State  Department  from  communicating  effectively.  Some  have  also  argued  that  the 
law  has  been  interpreted  to  prohibit  the  military  from  conducting  information  operations  in 
cyberspace,  as  some  of  those  activities  could  be  considered  propaganda  that  could  reach  U.S. 
citizens,  since  the  United  States  does  not  restrict  Internet  access  according  to  territorial 
boundaries. 

Yearly  appropriations  bills  for  both  the  State  Department  and  Department  of  Defense  include 
restrictions  on  use  of  funds  for  “propaganda”  activities,  although  the  word  “propaganda”  is  not 
defined.  In  the  1 1 1th  Congress,  H.R.  5729  would  have  removed  the  so-called  “firewall”  between 
domestic  and  foreign  audiences  by  explicitly  authorizing  the  Department  of  State  to  disseminate 
information  through  the  Internet  and  information  media,  stating  that  the  resolution  shall  “not  be 
construed  to  prohibit  the  Department  from  engaging  in  any  medium  of  information  on  a 
presumption  that  a U.S.  domestic  audience  may  be  exposed  to  program  material.”  However,  this 
provision  would  have  applied  only  to  the  State  Department;  it  would  not  have  included  DOD  or 
other  federal  departments  or  agencies. 


92  Prepared  by  Catherine  A.  Theohary,  Analyst  in  National  Security  Policy  and  Information  Operations 
(ctheohary@crs.loc.gov,  7-0844). 

93  This  restriction  was  added  by  the  Foreign  Relations  Authorization  Act,  Fiscal  Years  1986  and  1987  (P.L.  99-93,  99 
Stat.  43 1 ) and  was  not  part  of  the  original  act. 

94  For  discussion,  see  CRS  Report  R40989,  U.S.  Public  Diplomacy:  Background  and  Current  Issues,  by  Kennon  H. 
Nakamura  and  Matthew  C.  Weed. 
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State  Department  Basic  Authorities  Act  of  1956 

Ch.  841,  70  Stat.  890. 

22  U.S.C.  §265 la. 

Major  Relevant  Provisions 

• Specifies  the  organization  of  the  Department  of  State,  including  the  positions  of 
coordinator  for  counterterrorism  and  for  HIV/AIDS  response. 

Possible  Updates 

As  the  Internet  becomes  increasingly  international,  concerns  have  been  raised  about  the 
development  and  coordination  of  international  efforts  in  cybersecurity  by  the  United  States.95  In 
the  111th  Congress,  S.  3193  would  have  addressed  those  concerns  by  establishing  a coordinator 
for  cyberspace  and  cybersecurity  issues  within  the  Department  of  State.  S.  1426  in  the  1 12th 
Congress  contains  a similar  provision. 


Freedom  of  Information  Act  (FOIA) 

P.L.  89-487,  80  Stat.  250. 

5 U.S.C.  §552.96 

Major  Relevant  Provisions 

• Enables  any  person  to  access — without  explanation  or  justification — existing, 
identifiable,  unpublished  executive -branch  agency  records,  unless  the  material 
falls  within  any  of  FOlA’s  nine  categories  of  exemption  from  disclosure. 

Possible  Updates 

Sharing  of  cybersecurity  information  between  the  federal  government  and  nonfederal  entities  is 
widely  considered  to  be  an  essential  need,  especially  with  respect  to  the  protection  of  critical 
infrastructure  (Cl).  However,  attempts  to  encourage  the  private  sector  to  share  sensitive  Cl 
information  with  the  federal  government  have,  at  times,  been  met  with  concerns  that  such  records 
could  be  subject  to  public  release  under  FOIA,  resulting  in  potential  economic  or  other  harm  to 
the  source. 

Among  the  nine  exemptions  that  permit  agencies  to  withhold  applicable  records  are  three  that 
may  particularly  apply  to  cybersecurity  information: 


95  See,  for  example,  CSIS  Commission  on  Cybersecurity  for  the  44th  Presidency,  Securing  Cyberspace  for  the  44,h 
Presidency,  December  2008,  http://www.csis.org/tech/cyber/;  The  White  House,  Cyberspace  Policy  Review,  May  29, 
2009,  http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_fmal.pdf;  and  The  White  House, 
International  Strategy  for  Cyberspace. 

96  Prepared  by  Wendy  R.  Ginsberg,  Analyst  in  Government  Organization  and  Management  (wginsberg@crs.loc.gov,  7- 
3933). 
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• Exemption  1:  information  properly  classified  for  national  defense  or  foreign 
policy  purposes  as  secret  under  criteria  established  by  an  executive  order. 

• Exemption  3:  data  specifically  exempted  from  disclosure  by  a statute  other  than 
FOIA  if  that  statute  meets  criteria  laid  out  in  FOIA.97 

• Exemption  4:  trade  secrets  and  commercial  or  financial  information  obtained 
from  a person  that  is  privileged  or  confidential." 

An  example  of  Exemption  3 is  Section  214  of  the  HSA  (see  p.  41),  which  exempts  information 
about  the  security  of  critical  infrastructure  and  protected  systems  that  is  voluntarily  submitted  to 
an  agency  covered  under  the  act,  provided  that  the  entity  that  supplies  the  information  expressly 
requests  the  exemption  concurrently. 

Despite  these  existing  protections,  some  private-sector  entities  may  still  have  concerns  about 
public  release  of  sensitive  records — that  existing  laws  may  not  be  specific  enough  to  protect 
particular  types  of  records,  or  they  may  be  too  narrow  to  protect  all  records  of  concern.  The  White 
House  Proposal  would  address  such  concerns  by  applying  Exemption  3 to  any  lawfully  obtained 
information  provided  to  DEIS  for  cybersecurity  purposes.99  The  Task  Force  Report  also  suggests 
that  a FOIA  exemption  may  be  needed,100  and  several  bills,  including  FI.R.  3523,  S.  2105,  S. 

2151,  S.  3342,  and  S.  3414  would  provide  such  a FOIA  exemption,  although  none  of  those 
proposals  would  directly  modify  the  statute.  Adding  such  broad  exemptions  to  FOIA,  however, 
could  nevertheless  prompt  concerns  about  decreases  in  federal  transparency. 


91  The  statute  must  require  that  the  data  be  withheld  from  the  public  in  such  a manner  as  to  leave  no  discretion  on  the 
issue,  establish  particular  criteria  for  withholding  information  or  refer  to  particular  types  of  matters  to  be  withheld,  or 
specifically  cite  the  exemption  if  enacted  after  October  28,  2009,  the  date  of  enactment  of  the  OPEN  FOIA  Act  of 
2009,  P.L.  1 1 1-83.  These  exemptions  are  also  called  “b(3)  exemptions”  because  they  are  created  pursuant  to  5 U.S.C. 
§552(b)(3). 

9S  Other  exemptions  may  also  sometimes  apply  to  cybersecurity  information.  For  further  discussion  of  FOIA  and  its 
exemptions,  see  CRS  Report  R41933,  Freedom  of  Information  Act  (FOIA):  Background  and  Policy  Options  for  the 
112th  Congress,  by  Wendy  Ginsberg,  CRS  Report  R41406,  The  Freedom  of  Information  Act  and  Nondisclosure 
Provisions  in  Other  Federal  Laws,  by  Gina  Stevens. 

99  See  “Sec.  245.  Voluntary  Disclosure  of  Cybersecurity  Information,”  in  The  White  House,  “Department  of  Homeland 
Security  Cybersecurity  Authority  and  Information  Sharing,”  May  12,  201 1,  p.  8-9,  http://www.whitehouse.gov/sites/ 
default/files/omb/legislative/letters/dhs-cybersecurity-authority.pdf. 

100  Specifically,  it  states,  “information  sharing  within  existing  structures  can  be  improved  through  limited  safe  harbors 
when  private  sector  entities  voluntarily  disclose  threat,  vulnerability,  or  incident  information  to  the  federal  government 
or  ask  for  advice  or  assistance  to  help  increase  protections  on  their  own  systems.  These  protections  would  need  to 
address  concerns  about  antitrust  issues,  liability,  an  exemption  from  the  Freedom  of  Information  Act  (FOIA), 
protection  from  public  disclosure,  protection  from  regulatory  use  by  government,  and  whether  or  not  a private  entity  is 
operating  as  an  agent  of  the  government.  However,  the  protection  of  personal  privacy  should  be  at  the  forefront  of  any 
limited  legal  protection  proposal”  (House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  11). 
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Omnibus  Crime  Control  and  Safe  Streets  Act  of  1968 

P.L.  90-351,  82  Stat.  197. 

42  USC  Chapter  46,  §§3701  to  3797ee-l. 

Major  Relevant  Provisions 

• Title  1 established  federal  grant  programs  and  other  forms  of  assistance  to  state 
and  local  law  enforcement. 

• Title  111  is  a comprehensive  wiretapping  and  electronic  eavesdropping  statute  that 
not  only  outlawed  both  activities  in  general  terms  but  that  also  permitted  federal 
and  state  law  enforcement  officers  to  use  them  under  strict  limitations.101 

Possible  Updates 

The  incidence  of  cybercrime  has  increased  dramatically  over  the  last  decade.102  State  and  local 
law  enforcement  agencies  play  an  important  role  in  combating  cybercrime,  but  concerns  have 
been  raised  about  their  abilities  to  invest  sufficient  resources  in  enforcement  activities.  In  the 
1 11th  Congress,  H.R.  1292  would  have  added  a program  for  law  enforcement  grants  to  state  and 
local  criminal  justice  agencies  and  relevant  nonprofit  organizations  to  combat  “white  collar 
crime,”  including  cybercrime. 


Racketeer  Influenced  and  Corrupt  Organizations  Act  (RICO) 

P.L.  91-452,  84  Stat.  941. 

18  U.S.C.  Chapter  96,  §§1961-1968. 

Major  Relevant  Provisions 

• Enlarges  the  civil  and  criminal  consequences  of  a list  of  state  and  federal  crimes 
when  committed  in  a way  characteristic  of  the  conduct  of  organized  crime 
(racketeering).103 

Possible  Updates 

The  Task  Force  Report  recommends  that  Congress  change  RICO  “to  include  computer  fraud 
within  the  definition  of  racketeering.”104  The  White  House  Proposal  would  make  felony  violation 


101  These  provisions,  along  with  possible  updates,  are  discussed  under  “Electronic  Communications  Privacy  Act  of 
1986.” 

102  There  is  no  uniform  definition  of  “cybercrime.”  Furthermore,  no  definitive  statistics  on  cybercrime  appear  to  be 
publically  available.  However,  the  public/private  Internet  Crime  Complaint  Center  referred  25  times  as  many  of  the 
complaints  it  received  to  law  enforcement  agencies  in  2010  (121,710)  as  in  2001  (4,810)  (Internet  Crime  Complaint 
Center,  2010  Internet  Crime  Report,  2011,  http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf). 

103  For  details,  CRS  Report  96-950,  RICO:  A Brief  Sketch,  by  Charles  Doyle. 

1114  House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  14. 
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of  18  U.S.C.  §1030  (see  “Counterfeit  Access  Device  and  Computer  Fraud  and  Abuse  Act 
of  1984”)  a racketeering  predicate  offense. 


Federal  Advisory  Committee  Act  (FAC A) 

P.L.  93-579,  86  Stat  770. 

5 U.S.C.  App,  §§1-16. 


Major  Relevant  Provisions 

• Specifies  the  circumstances  under  which  a federal  advisory  committee  can  be 
established,  and  its  responsibilities  and  limitations. 

• Requires  that  meetings  of  such  committees  be  open  to  the  public  and  that  records 
be  available  for  public  inspection.105 

Possible  Updates 

The  act  has  been  criticized  as  potentially  impeding  the  full  development  of  public/private 
partnerships  in  cybersecurity,  particularly  with  respect  to  impeding  private -sector 
communications  and  input  on  policy.106  While  Section  871  of  the  HSA  provides  the  Secretary  of 
Homeland  Security  with  the  power  to  establish  advisory  committees  that  are  exempt  from  the 
requirements  of  the  act,  it  is  possible  that  additional  exemption  authority  would  be  helpful.  Any 
such  potential  benefits  might,  however,  need  to  be  weighed  against  the  impact  of  such  authority 
on  the  public’s  ability  to  participate  in  and  access  the  records  of  affected  advisory  committees. 
The  draft  bill  being  considered  by  the  House  Committee  on  Homeland  Security107  would  exempt 
the  organization  created  by  the  bill  from  requirements  of  the  act. 


Privacy  Act  of  1974 

P.L.  93-579,  88  Stat.  1896. 

5 U.S.C.  §552a. 

Major  Relevant  Provisions 

• Limits  the  disclosure  of  personally  identifiable  information  (Pll)  held  by  federal 
agencies. 

• Requires  agencies  to  provide  access  to  persons  with  agency  records  containing 
information  on  them. 


1115  For  more  information,  see  CRS  Report  R40520,  Federal  Advisory  Committees:  An  Overview,  by  Wendy  Ginsberg. 
106  Isabelle  Abele-Wigert  and  Myriam  Dunn,  International  CUP  Handbook  2006,  Vol.  I (Center  for  Security  Studies, 
ETH  Zurich,  2006),  p.  337,  http://www.css.ethz.ch/publications/CIIP_HB_06_V°ll.pdf;  Brunner  and  Suter, 
International  CUP  Handbook  2008/2009,  p.  456. 

1117  House  Committee  on  Homeland  Security,  “Hearing  on  Draft  Legislative  Proposal  on  Cybersecurity.” 
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• Established  a code  of  fair  information  practices  for  collection,  management,  and 
dissemination  of  records  by  agencies,  including  requirements  for  security  and 
confidentiality  of  records. 

Possible  Updates 

Some  observers  argue  that  the  act  should  be  revised  to  clarify,  in  the  context  of  cybersecurity, 
what  is  considered  PI1  and  how  it  can  be  used,  such  as  by  explicitly  permitting  the  sharing  among 
federal  agencies — or  with  appropriate  third  parties  such  as  owners  and  operators  of  critical 
infrastructure — of  certain  information,  such  as  a computer’s  Internet  (IP)  address,  in 
examinations  of  threats,  vulnerabilities,  and  attacks.  The  act  contains  some  exemptions,  such  as 
for  law  enforcement  activities  (5  U.S.C.  §552a(b)(7))  and  duties  of  the  Comptroller  General  (5 
U.S.C.  §552a(b)(10)),  but  none  relating  specifically  to  cybersecurity.  However,  other  observers 
may  argue  that  the  provisions  in  the  act  are  sufficient  to  permit  necessary  cybersecurity  activities, 
and  that  revising  the  act  to  provide  additional  authorities  relating  to  cybersecurity  could 
compromise  the  protections  provided  by  the  act.108  In  the  112th  Congress,  H.R.  1732  would  revise 
the  act  to  take  changes  in  information  technology  into  account,  but  does  not  specifically  address 
information  relating  to  cybersecurity. 

Counterfeit  Access  Device  and  Computer  Fraud  and  Abuse  Act 
of  1984 

P.L.  98-473,  98  Stat.  2190. 

18  U.S.C.  §1030. 

Major  Relevant  Provisions 

As  amended,109 

• Provides  criminal  penalties,  including  asset  forfeiture,  for  unauthorized  access 
and  wrongful  use  of  computers  and  networks  of  the  federal  government  or 
financial  institutions,  or  in  interstate  or  foreign  commerce  or  communication; 

• Specifies  wrongful  use  as  obtaining  protected  information,  damaging  or 
threatening  to  damage  a computer,  using  the  computer  to  commit  fraud, 
trafficking  in  stolen  computer  passwords,  and  espionage; 

• Criminalized  electronic  trespassing  on  and  exceeding  authorized  access  to  federal 
government  computers;  and 

• Created  a statutory  exemption  for  intelligence  and  law  enforcement  activities.110 


108  For  information  on  how  they  have  been  interpreted  by  the  courts,  see  Department  of  Justice,  “Overview  of  the 
Privacy  Act  of  1974,  2010  Edition,”  March  2,  2010,  http://www.justice.gov/opcF1974privacyact-overview.htm. 

109  The  Computer  Fraud  and  Abuse  Act  of  1986  (P.L.  99-474,  100  Stat.  1213)  expanded  the  scope  of  the  original  act. 
For  government  computers,  it  criminalized  electronic  trespassing,  exceeding  authorized  access,  and  destroying 
infonnation.  It  also  criminalized  trafficking  in  stolen  computer  passwords  and  created  a statutory  exemption  for 
intelligence  and  law  enforcement  activities. 

1 10  For  more  information,  see  CRS  Report  97-1025,  Cybercrime:  An  Overview  of  the  Federal  Computer  Fraud  and 
(continued...) 
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Possible  Update 

The  White  House  Proposal  would  add  penalties  for  damaging  certain  critical  infrastructure 
computers,  increase  penalties  for  most  violations  of  the  act,  clarify  certain  offenses,  and  modify 
the  act’s  conspiracy  and  forfeiture  provisions.  In  the  112th  Congress,  S.  2111,  S.  2151,  and  S. 
3342  have  similar  provisions.  S.  890,  S.  2151,  S.  3342,  and  the  White  House  Proposal  would 
enlarge  the  scope  of  the  password  trafficking  offense  by  removing  the  requirement  that  the 
computer  affect  interstate  commerce  or  be  used  by  the  United  States.  S.  1151  would  also  make 
several  changes  similar  to  but  not  as  extensive  as  those  in  the  Administration  proposal. 1 1 1 The 
Task  Force  Report  recommends  that  the  act  be  broadened  to  cover  critical  infrastructure  systems, 
and  possibly  all  private-sector  computers,  with  increased  criminal  penalties.  It  also  recommends 
that  provisions  should  be  focused  narrowly  enough  to  avoid  creating  unintended  liability  for 
legitimate  activities.112 


Electronic  Communications  Privacy  Act  of  1986  (ECPA) 

P.L.  99-508,  100  Stat.  1848. 

18  U.S.C.  §§2510-2522,  18  U.S.C.  §§2701-2712,  18  U.S.C.  §§3 121-3 126.113 

Major  Relevant  Provisions 

• Attempts  to  strike  a balance  between  the  fundamental  privacy  rights  of  citizens 
and  the  legitimate  needs  of  law  enforcement  with  respect  to  data  shared  or  stored 
in  various  types  of  electronic  and  telecommunications  services.114  Since  the  act 
was  passed  the  Internet  and  associated  technologies  have  expanded 
exponentially.115  The  act  consists  of  three  parts: 


(...continued) 

Abuse  Statute  and  Related  Federal  Criminal  Laws,  by  Charles  Doyle. 

111  See  CRS  Report  R41941,  The  Obama  Administration ’s  Cybersecurity  Proposed:  Criminal  Provisions,  by  Gina 
Stevens. 

112  House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  14. 

113  Prepared  by  Gina  Stevens,  Legislative  Attorney  (gstevens@crs.loc.gov,  7-2581). 

114  100  Stat.  1848;  see  also  House  Committee  on  the  Judiciary,  “Electronic  Communications  Privacy  Act  of  1986,” 
H.Rept.  99-647,  99th  Cong.  2d  Sess.  2,  at  19  (1986). 

115  House  Committee  on  the  Judiciary,  Subcommittee  on  the  Constitution,  Civil  Rights,  and  Civil  Liberties,  ECPA 
Reform  and  the  Revolution  in  Cloud  Computing,  2010,  http://judiciary.house.gov/hearings/hear_100923.html 
(statement  of  Edward  W.  Felton,  Professor  Princeton  University): 

In  1986,  when  ECPA  was  passed,  the  Internet  consisted  of  a few  thousand  computers.  The  network 
was  run  by  the  U.S.  government  for  research  and  education  purposes,  and  commercial  activity  was 
forbidden.  There  were  no  web  pages,  because  the  web  had  not  been  invented.  Google  would  not  be 
founded  for  another  decade.  Twitter  would  not  be  founded  for  another  two  decades.  Mark 
Zuckerberg,  who  would  grow  up  to  start  Facebook,  was  two  years  old.  In  talking  about  advances  in 
computing,  people  often  focus  on  the  equipment.  Certainly  the  advances  in  computing  equipment 
since  1986  have  been  spectacular.  Compared  to  the  high-end  supercomputers  of  1986,  today’s 
mobile  phones  have  more  memory,  more  computing  horsepower,  and  a better  network  connection 
not  to  mention  a vastly  lower  price. 
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A revised  Title  111  of  the  “Omnibus  Crime  Control  and  Safe  Streets  Act  of 
1968”  (also  known  as  “Title  111”  or  the  “Wiretap  Act”)116  prohibits  the 
interception  of  wire,  oral,  or  electronic  communications  unless  an  exception 
to  the  general  rule  applies.  Unless  otherwise  provided,  prohibits  wiretapping 
and  electronic  eavesdropping;  possession  of  wiretapping  or  electronic 
eavesdropping  equipment;  use  or  disclosure  of  information  obtained  through 
illegal  wiretapping  or  electronic  eavesdropping;  and  disclosure  of 
information  secured  through  court-ordered  wiretapping  or  electronic 
eavesdropping,  in  order  to  obstruct  justice.117 

The  Stored  Communications  Act  (SCA)lls  prohibits  unlawful  access  to  stored 

• • 1 19 

communications. 

The  Pen  Register  and  Trap  and  Trace  statute  governing  the  installation  and 
use  of  trap  and  trace  devices  and  pen  registers,120  proscribing  unlawful  use  of 
a pen  register  or  a trap  and  trace  device.121 

• Establishes  rules  that  law  enforcement  must  follow  before  they  can  access  data 
stored  by  service  providers.  Depending  on  the  type  of  customer  information 
involved  and  the  type  of  service  being  provided,  the  authorization  law 
enforcement  must  obtain  in  order  to  require  disclosure  by  a third  party  will  range 
from  a simple  subpoena  to  a search  warrant  based  on  probable  cause. 

Possible  Updates 

ECPA  reform  efforts  focus  on  crafting  a legal  structure  that  is  up-to-date,  can  be  effectively 
applied  to  modem  technology,  and  that  protects  users’  reasonable  expectations  of  privacy.  ECPA 
is  viewed  by  many  stakeholders  as  unwieldy,  complex,  and  difficult  forjudges  to  apply.122  Cloud 
computing123  poses  particular  challenges  to  the  ECPA  framework.  For  example,  when  law 
enforcement  officials  seek  data  or  files  stored  in  the  cloud,  such  as  web-based  e-mail  applications 
or  online  word  processing  services,  the  privacy  standard  that  is  applied  is  often  lower  than  the 
standard  that  applies  when  law  enforcement  officials  seek  the  same  data  stored  on  an  individual’s 
personal  or  business  hard  drive.124 


116  18U.S.C.  §2510-2522. 

117 18U.S.C.  §2511. 

118 18U.S.C.  §§2701-2712. 

119 18U.S.C.  §2701. 

120  18  U.S.C.  §§3121-3126.  A trap  and  trace  device  identifies  the  source  of  incoming  calls,  and  a pen  register  indicates 
the  numbers  called  from  a particular  phone. 

121  18  U.S.C.  §3121. 

12“  J.  Beckwith  Burr,  “The  Electronic  Communications  Privacy  Act  of  1986:  Principles  for  Reform,”  March  30,  2010, 
http://www.digitaldueprocess.org/files/DDP_Burr_Memo.pdf. 

123  “Cloud  computing  is  an  emerging  form  of  computing  that  relies  on  Internet-based  services  and  resources  to  provide 
computing  services  to  customers,  while  freeing  them  from  the  burden  and  costs  of  maintaining  the  underlying 
infrastructure.  Examples  of  cloud  computing  include  web-based  e-mail  applications  and  common  business  applications 
that  are  accessed  online  through  a browser,  instead  of  through  a local  computer”  (Government  Accountability  Office, 
Information  Security:  Federal  Guidance  Needed  to  Address  Control  Issues  with  Implementing  Cloud  Computing, 
GAO-10-513,  May  2010,  http://www.gao.gov/new.items/dl0513.pdf). 

124  House  Committee  on  the  Judiciary,  Subcommittee  on  the  Constitution,  Civil  Rights,  and  Civil  Liberties,  ECPA 
(continued...) 
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An  ECPA  reform  advocacy  coalition  has  advanced  the  following  principles: 

• A governmental  entity  may  require  an  entity  covered  by  ECPA  (a  provider  of 
wire  or  electronic  communication  service  or  a provider  of  remote  computing 
service)  to  disclose  communications  that  are  not  readily  accessible  to  the  public, 
but  only  with  a search  warrant  issued  based  on  a showing  of  probable  cause, 
regardless  of  the  age  of  the  communications,  the  means  or  status  of  their  storage 
or  the  provider’s  access  to  or  use  of  the  communications  in  its  normal  business 
operations. 

• A governmental  entity  may  access,  or  may  require  a covered  entity  to  provide, 
prospectively  or  retrospectively,  location  information  regarding  a mobile 
communications  device,  but  only  with  a warrant  issued  based  on  a showing  of 
probable  cause. 

• A governmental  entity  may  access,  or  may  require  a covered  entity  to  provide, 
prospectively  or  in  real  time,  dialed  number  information,  e-mail  to  and  from 
information  or  other  data  currently  covered  by  the  authority  for  pen  registers  and 
trap  and  trace  devices,  but  only  after  judicial  review  and  a court  finding  that  the 
governmental  entity  has  made  a showing  at  least  as  strong  as  the  showing  under 
2703(d). 

• Where  the  Stored  Communications  Act  authorizes  a subpoena  to  acquire 
information,  a governmental  entity  may  use  such  subpoenas  only  for  information 
related  to  a specified  account(s)  or  individual(s).  All  nonparticularized  requests 
must  be  subject  to  judicial  approval.125 

The  Task  Force  Report  recommends  changes  to  laws  governing  the  protection  of  electronic 
communications  to  facilitate  sharing  of  appropriate  cybersecurity  information,  including  the 
development  of  an  anonymous  reporting  mechanism.126 


Department  of  Defense  Appropriations  Act,  1987 

P.L.  99-591,  100  Stat.  3341-82,  3341-122. 

10U.S.C.  §167. 127 


Major  Relevant  Provisions 

• Provides  specific  authority  to  the  U.S.  Special  Operations  Command 
(USSOCOM)  for  the  conduct  of  direct  action,  strategic  reconnaissance, 


(...continued) 

Reform  and  the  Revolution  in  Cloud  Computing  (statement  of  Michael  Hintze,  Associate  General  Counsel,  Microsoft 
Corp.). 

125  Digital  Due  Process  Coalition,  “Our  Principles”,  2010,  http://www.digitaldueprocess.org/index.cfrn7objectkfr 
99629E 40-255 1 - 1 1 DF -8E02000C296B  A1 63 . 

126  House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  14.  For  more  infonnation  on  ECPA,  see  CRS 
Report  98-326,  Privacy:  An  Overview  of  Federal  Statutes  Governing  Wiretapping  and  Electronic  Eavesdropping,  by 
Gina  Stevens  and  Charles  Doyle. 

127  Prepared  by  John  Rollins,  Specialist  in  Terrorism  and  National  Security  (jrollins@crs.loc.gov,  7-5529). 
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unconventional  warfare,  foreign  internal  defense,  civil  affairs,  and  psychological 
operations;  also  counterterrorism,  humanitarian  assistance,  theater  search  and 
rescue,  and  such  other  activities  as  may  be  specified  by  the  President  or  the 
Secretary  of  Defense. 

Possible  Update 

In  addition  to  the  authority  provided  under  this  act,  Title  10  of  the  U.S.  Code  provides  inherent 
and  specific  authority  to  DOD  to  undertake  the  following  activities: 

• § 1 13  provides  that,  subject  to  the  direction  of  the  President,  the  Secretary  of 
Defense  has  authority,  direction,  and  control  over  DOD; 

• § 1 64  provides  specific  authority  for  combatant  commanders  for  the  performance 
of  missions  assigned  by  the  President  or  by  the  Secretary  with  the  approval  of  the 
President. 

Specific  authorities  for  combatant  commanders  are  provided  in  Title  1 0 to  use  force  in  self- 
defense  and  for  mission  accomplishment — including  in  the  recently  recognized  information 
operations  environment.  In  preparing  for  contingencies  or  military  operations,  DOD  undertakes 
activities  to  lessen  risks  to  U.S.  interests,  including  discrete  actions  to  prepare  for  and  respond  to 
a cyberwarfare -related  incident.128 

Some  military  activities  are  conducted  clandestinely  to  conceal  the  nature  of  the  operation  and 
passively  collect  intelligence.  Activities  focused  on  influencing  the  governing  of  a foreign 
country  are  deemed  covert  actions124  and  may  not  be  conducted  by  members  of  the  military 
absent  a presidential  finding  and  notification  of  the  congressional  intelligence  committees.130 

Some  analysts  suggest  that  in  the  cyber  domain  distinguishing  between  whether  an  action  is  or 
should  be  considered  covert  or  clandestine  is  problematic,  as  an  attacking  adversary’s  intent  and 
location  are  often  difficult  to  discern.  Should  this  act  be  updated,  reassessing  DOD’s  authorities  in 
light  of  its  unique  intelligence  capabilities  may  assist  in  responding  to  and  conducting  offensive 
cyber  attacks. 


High  Performance  Computing  Act  of  1991 

P.L.  102-194,  105  Stat.  1594. 

15U.S.C.  Chapter  81. 131 


128  CRS  Report  RL3 1787,  Information  Operations,  Cyberwarfare,  and  Cybersecurity:  Capabilities  and  Related  Policy 
Issues,  by  Catherine  A.  Theohary. 

129  50  U.S.C.  §4 1 3b(e)  defines  a covert  action  as  “an  activity  or  activities  of  the  United  States  Government  to  influence 
political,  economic,  or  military  conditions  abroad,  where  it  is  intended  that  the  role  of  the  United  States  Government 
will  not  be  apparent  or  acknowledged  publicly,  but  does  not  include  . . . activities  the  primary  purpose  of  which  is  to 
acquire  intelligence  . . . [or]  traditional  military  activities  or  routine  support  to  such  activities.” 

130  For  an  explanation  and  analysis  of  issues  relating  to  covert  and  clandestine  activities  see  CRS  Report  RL33715, 
Covert  Action:  Legislative  Background  and  Possible  Policy  Questions,  by  Richard  F.  Grimmett. 

131  Parts  of  the  chapter  have  also  been  given  other  popular  names:  the  Next  Generation  Internet  Research  Act  of  1998 
(P.L.  105-305),  and  the  Department  of  Energy  High-End  Computing  Revitalization  Act  of  2004. 
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Major  Relevant  Provisions 

• Establishes  a federal  high-performance  computing  program  and  requires  that  it 
address  security  needs. 

• Requires  that  the  program  provide  for  interagency  coordination  and  that  an 
annual  report  on  implementation  be  submitted  to  Congress. 

• Requires  NIST  to  establish  security  and  privacy  standards  in  high-performance 
computing  for  federal  systems. 

Possible  Updates 

This  act  established  the  Networking  and  Information  Technology  Research  and  Development 
(NITRD)  Program,  which  produces  the  required  annual  report.  However,  concerns  have  been 
raised  that  the  program  does  not  yield  sufficient  strategic  planning  and  does  not  sufficiently  stress 
cybersecurity  research  and  development  (R&D).  In  the  1 1 1th  Congress,  H.R.  2020,  which  passed 
the  House,  would  have  addressed  that  concern  by  requiring  a five-year  strategic  plan  with  three- 
year  reviewing  cycle.  It  would  also  have  added  a research  goal  of  increasing  understanding  “of 
the  scientific  principles  of  cyber-physical  systems”  and  improving  methods  for  designing, 
developing,  and  operating  such  systems  with  high  reliability,  safety,  and  security.  H.R.  3834  in 
the  1 12th  Congress  is  similar  but  adds  provisions  on  cloud  computing.  S.  773  in  the  1 1 1th 
Congress  would  have  required  NIST  to  develop  cybersecurity  standards  and  metrics  for  computer 
networks  and  user  interfaces,  as  would  S.  2105  and  S.  3414  in  the  1 12th  Congress.  S.  215 1 and  S. 
3342  would  establish  cybersecurity,  including  security  of  supply  chains,  as  one  of  the  goals  for 
research  under  the  act  and  contains  a requirement  similar  to  that  of  H.R.  3834  for  cyber-physical 
systems.  H.R.  3834,  S.  2151,  and  S.  3342  would  also  make  a number  of  other  amendments  not 
directly  related  to  cybersecurity. 


Communications  Assistance  for  Law  Enforcement  Act  of  1994 
(CALEA) 

P.L.  103-414,  108  Stat.  4279. 

47  U.S.C.  §1001  et  seq.132 

Major  Relevant  Provisions 

• Requires  telecommunications  carriers  to  assist  law  enforcement  in  performing 
electronic  surveillance  on  their  digital  networks  pursuant  to  court  orders  or  other 
lawful  authorization. 

• Directs  the  telecommunications  industry  to  design,  develop,  and  deploy  solutions 
that  meet  requirements  for  carriers  to  support  authorized  electronic  surveillance, 
including  unobtrusive  isolation  of  communications  and  call-identifying 
information  for  a target  and  provision  of  that  information  to  law  enforcement,  in 


132  Prepared  by  Patricia  Moloney  Figliola,  Specialist  in  Internet  and  Telecommunications  Policy 
(pfigliola@crs.loc.gov,  7-2508). 
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a manner  that  does  not  compromise  the  privacy  and  security  of  other 
communications. 

Possible  Updates 

Some  government  and  industry  observers  believe  that  CALEA  should  be  revised  to  improve  its 
effectiveness  in  addressing  cybersecurity  concerns.  Among  the  concerns  expressed  are  whether 
the  act  is  the  best  mechanism  for  collecting  information  transmitted  via  the  Internet,  whether 
reassessment  is  needed  of  which  private -sector  entities  the  act  covers  and  which  government 
entities  should  be  involved  in  enforcement  and  oversight,  and  what  the  role  of  industry  should  be 
in  the  development  of  the  technologies  and  standards  used  to  implement  the  provisions  of  the  act. 
The  Task  Force  Report  recommends  changes  to  laws  governing  the  protection  of  electronic 
communications  to  facilitate  sharing  of  appropriate  cybersecurity  information,  including  the 
development  of  an  anonymous  reporting  mechanism.133 


Communications  Decency  Act  of  1996 

P.L.  104-104  (Title  V),  110  Stat.  133. 

47  U.S.C.  §§223,  230. 134 

Major  Relevant  Provisions 

• Intended  to  regulate  indecency  and  obscenity  on  telecommunications  systems, 
including  the  Internet.  Although  much  of  the  law  is  targeted  at  lewd  or 
pornographic  material,  particularly  when  shown  to  children  under  the  age  of  18, 
the  obscenity  and  harassment  provisions  could  also  be  interpreted  as  applying  to 
graphic,  violent  terrorist  propaganda  or  incendiary  language. 

• Section  230(c)(1)  asserts  that  “no  provider  or  user  of  an  interactive  computer 
service  shall  be  treated  as  the  publisher  or  speaker  of  any  information.”  This  has 
been  interpreted  to  absolve  Internet  service  providers  and  certain  web-based 
services  of  responsibility  for  third-party  content  residing  on  those  networks  or 
websites.135 

Possible  Updates 

Some  argue  that  certain  Internet  content,  such  as  terrorist  chat  rooms  or  propaganda  websites, 
presents  a national  security  or  operational  threat  that  is  not  represented  within  the 
Communications  Decency  Act.  Further,  should  such  material  be  deemed  as  “indecent,”  the  law 
does  not  give  federal  agencies  the  authority  to  require  that  the  Internet  service  providers  hosting 
the  content  to  take  it  offline. 


133  House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  14. 

134  Prepared  by  Catherine  A.  Theohary,  Analyst  in  National  Security  Policy  and  Infonnation  Operations 
(ctheohary@crs.loc.gov,  7-0844).  These  provisions  are  codified  to  Chapter  5 of  Title  47,  the  “Communications  Act  of 
1934.”  Codification  of  the  various  provisions  of  this  act  is  complex.  See  47  U.S.C.  §609  nt.  for  details. 

135  See  CRS  Report  R41499,  The  Communications  Decency  Act:  Section  230(c)(1)  and  Online  Intermediary  Liability, 
by  Kathleen  Ann  Ruane  and  Julia  Tamulis. 
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These  critics  maintain  that  the  law  should  be  revised  to  compel  ISPs  and  web  administrators  to 
dismantle  sites  containing  information  that  could  be  used  to  incite  harm  against  the  United  States. 
A possible  revision  could  be  similar  to  the  “take  down  and  put  back”  provision  in  the  Digital 
Millennium  Copyright  Act,  112  Stat.  2860,  P.L.  105-304  which  amended  title  17  of  the  U.S.  Code 
to  hold  a service  liable  for  publishing  material  that  is  defamatory  or  infringes  upon  a third  party 
copyright. 

Others  maintain  that  such  a revision  is  counter  to  the  spirit  of  free,  open  exchange  of  information 
that  is  characterized  by  the  Internet  and  may  be  a First  Amendment  violation.  Some  have  also 
expressed  concerns  that  the  intelligence  value  gained  by  preserving  and  monitoring  the  sites 
outweighs  the  potential  threat  risk. 


Clinger-Cohen  Act  (Information  Technology  Management  Reform 
Act)  of  1996 

P.L.  104-106  (Divisions  D and  E),  110  Stat.  642. 

40  U.S.C.  §11101  etseq.136 


Major  Relevant  Provisions 

• Gave  agency  heads  authority  to  acquire  IT  and  required  them  to  ensure  the 
adequacy  of  agency  information  security  policies. 

• Established  the  position  of  agency  Chief  Information  Officer  (CIO),  responsible 
for  assisting  agency  heads  in  IT  acquisition  and  management. 

• Requires  the  Office  of  Management  and  Budget  (OMB)  to  oversee  major 
information  technology  (IT)  acquisitions. 

• Requires  OMB  to  promulgate,  in  consultation  with  the  Secretary  of  Homeland 
Security,  compulsory  federal  computer  standards  based  on  those  developed  by 
the  National  Institute  of  Standards  and  Technology  (NIST).137 

• Exempts  national  security  systems  from  most  provisions. 

Possible  Update 

With  the  increasing  globalization  of  the  IT  hardware  and  software  industries,  concerns  have  been 
growing  among  cybersecurity  experts  about  potential  vulnerabilities  at  various  points  along  the 
supply  chain  for  IT  products.  H.R.  1136,  introduced  in  the  1 12th  Congress,  would  address  such 
concerns  with  respect  to  federal  acquisition  of  IT  products  and  services  by  requiring  vendors  to 


136  Prepared  by  Wendy  R.  Ginsberg,  Analyst  in  Government  Organization  and  Management  (wginsberg@crs.loc.gov, 
7-3933),  and  Eric  A.  Fischer.  The  two  divisions,  originally  known  as  the  Federal  Acquisition  Reform  Act  and  the 
Infonnation  Technology  Management  Reform  Act,  were  renamed  as  the  Clinger-Cohen  Act  by  P.L.  104-208  and 
reclassified  into  40  U.S.C.  Subtitle  III  by  P.L.  107-217  (see  40  U.S.C.  §101  nt). 

137  The  Clinger-Cohen  Act  originally  gave  this  promulgation  authority  to  the  Secretary  of  Commerce,  while  providing 
the  President  authority  to  disapprove  or  modify  such  standards,  and  gave  the  Secretary  authority  to  waive  the  standards 
in  specific  cases  to  avoid  adverse  financial  or  mission-related  impacts.  The  “Federal  Infonnation  Security  Management 
Act  of  2002  (FISMA),”  enacted  as  part  of  the  Homeland  Security  Act,  transferred  that  authority  to  OMB. 
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meet  security  requirements  to  be  developed  by  OMB,  and  also  requiring  vulnerability 
assessments  by  agencies. 

S.  413  (similar  to  S.  3480  in  the  111th  Congress),  S.  2105,  S.  2151,  S.  3342,  S.  3414,  and  the 
White  House  Proposal  would  return  the  authority  for  promulgating  standards  for  federal  systems 
to  the  Secretary  of  Commerce.138  H.R.  4257,  in  contrast,  would  not  amend  that  provision. 

Congress  and  the  executive  branch  have  debated  the  limits  of  the  authority  and  jurisdiction  of 
CIOs  since  their  establishment.  In  the  private  sector,  CIOs  may  often  serve  as  the  senior  IT 
decision  maker.  In  federal  agencies,  in  contrast,  CIOs  do  not  have  budgetary  control  or  authority 
over  IT  resources. lj9  As  part  of  a plan  to  reform  federal  IT  management,140  the  Obama 
Administration  has  indicated  its  intention  to  change  the  role  of  CIOs  “away  from  just 
policymaking  and  infrastructure  maintenance,  to  encompass  true  portfolio  management  for  all 
IT,”  including  information  security.141  The  White  House  Proposal  does  not  include  any  provisions 
related  to  that  proposed  change,  but  additional  legislative  authority  may  be  required  for  such  a 
change  to  be  fully  implemented. 

The  Obama  Administration  also  appointed  a federal  chief  information  officer  and  a federal  chief 
technology  officer  (CTO),  positions  first  created  in  the  George  W.  Bush  Administration,  where 
the  OMB  deputy  director  of  management  also  served  as  federal  CIO.  In  the  1 1 1th  Congress,  H.R. 
1910  and  H.R.  5136,  and  H.R.  1 136  in  the  112th  Congress,  contain  provisions  to  establish  a 
statutory  basis  for  the  CTO  position,  not,  however,  explicitly  as  amendments  to  the  Clinger- 
Cohen  Act.142  Some  proposals  in  previous  Congresses  would  also  have  established  the  federal 
CIO  position  in  law.143 


Identity  Theft  and  Assumption  Deterrence  Act  of  1998 

RL.  105-318,  112  Stat.  3007. 

18U.S.C.  §1028. 144 


138  See  the  discussion  of  FISMA,  p.  43. 

139  They  do  have  authority  under  FISMA  to  ensure  compliance  with  that  law’s  information  security  requirements  (44 
U.S.C.  §3544).  Some  agency  CIOs  also  have  statutory  authority  in  addition  to  that  provided  by  Clinger-Cohen  and 
FISMA.  For  example,  the  CIO  of  the  intelligence  community  has  procurement  approval  authority  for  IT  (50  U.S.C. 
§403-3g),  and  CIOs  within  DOD  have  budgetary  review  authority  (10  U.S.C.  §2223). 

140  Vivek  Kundra,  25-Point  Implementation  Plan  to  Reform  Federal  Information  Technology  Management  (The  White 
House,  December  9,  2010),  http://www.cio.gov/documents/25-Point-Implementation-Plan-to-Refonn- 

F ederal%20IT.pdf. 

141  Jacob  J.  Lew,  “Chief  Information  Officer  Authorities,”  Memorandum  for  the  Heads  of  Executive  Departments  and 
Agencies,  M-l  1-29,  August  8,  201 1,  pp.  1-2,  http://www.whitehouse.gov/sites/default/files/omb/memoranda/201 1/ 
ml  l-29.pdf. 

142  See  CRS  Report  R40150.A  Federal  Chief  Technology  Officer  in  the  Obama  Administration:  Options  and  Issues  for 
Consideration,  by  John  F.  Sargent  Jr. 

143  See,  for  example,  CRS  Report  RL30914,  Federal  Chief  Information  Officer  (CIO):  Opportunities  and  Challenges, 
by  Jeffrey  W.  Seifert. 

144  Prepared  by  Kristin  M.  Finklea,  Coordinator,  Analyst  in  Domestic  Security  (kfmklea@crs.loc.gov,  7-6259).  See  18 
U.S.C.  §1001  nt.  for  classification  details. 
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Major  Relevant  Provisions 

• Made  identity  theft  a federal  crime. 

• Provided  penalties  for  individuals  who  either  committed  or  attempted  to  commit 
identity  theft. 

• Provided  for  forfeiture  of  property  used  or  intended  to  be  used  in  the  fraud. 

• Directed  the  Federal  Trade  Commission  (FTC)  to  record  complaints  of  identity 
theft,  provide  victims  with  informational  materials,  and  refer  complaints  to  the 
appropriate  consumer  reporting  and  law  enforcement  agencies.145 

Possible  Updates 

See  “Identity  Theft  Penalty  Enhancement  Act”  below. 


Homeland  Security  Act  of  2002  (HSA) 

P.L.  107-296  (Titles  11  and  111),  116  Stat.  2135. 

6 U.S.C.  §§121-195c,  441-444,  and  481-486.146 

Major  Relevant  Provisions 

• Transferred  some  functions  relating  to  the  protection  of  information 
infrastructure  from  other  agencies  to  the  Department  of  Homeland  Security 
(DHS).147 

• Requires  DHS  to  provide  state  and  local  governments  and  private  entities  with 
threat  and  vulnerability  information,  crisis-management  support,  and  technical 
assistance  relating  to  recovery  plans  for  critical  information  systems. 

• Permits  the  Secretary  of  Homeland  Security  to  designate  qualified  technologies 
as  subject  to  certain  protections  from  liability  in  claims  relating  to  their  use  in 
response  to  an  act  of  terrorism.148 

• Established  mechanisms  to  facilitate  information  sharing  among  federal  agencies 
and  appropriate  nonfederal  government  and  critical-infrastructure  personnel.149 


145  The  FTC  now  records  consumer  complaint  data  and  reports  it  in  the  Identity  Theft  Data  Clearinghouse  (Federal 
Trade  Commission,  “Reference  Desk,”  Fighting  Back  Against  Identity  Theft , December  22,  2010,  http://www.ftc.gov/ 
bcp/edu/microsites/idtheft/reference-desk/index.html);  identity  theft  complaint  data  are  available  for  2000  and  forward. 

14(1  For  classification  details,  see  6 U.S.C.  §101  nt. 

147  In  particular,  the  act  transferred  to  DHS  the  Federal  Computer  Incident  Response  Center,  which  had  resided  in  the 
General  Services  Administration  (GSA).  In  2006,  P.L.  109-295,  The  Department  of  Homeland  Security  Appropriations 
Act,  2007,  established  the  position  of  Assistant  Secretary  for  Cybersecurity  and  Communications  (6  U.S.C.  §321) 
within  DHS  but  did  not  specify  duties  or  responsibilities. 

148  This  set  of  provisions  (Subtitle  G of  Title  VIII,  6 U.S.C.  §441-444)  is  called  the  SAFETY  Act. 

149  This  set  of  provisions  (Subtitle  I of  Title  VIII,  6 U.S.C.  §481-486)  is  called  the  Homeland  Security  Information 
Sharing  Act.  Section  486  was  added  by  P.L.  109-90  and  provides  some  liability  protections  relating  to  actions 
involving  information  sharing  and  analysis  centers. 
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• Authorized  DHS  to  establish  a system  of  volunteer  experts  (“Net  Guard”)  to 
assist  local  communities  in  responding  to  attacks  on  information  and 
communications  systems. 

• Strengthened  some  criminal  penalties  relating  to  cybercrime. 

• Created  the  Directorate  of  Science  and  Technology  within  DHS  and  assigned  it 
broad  R&D  responsibilities,  although  responsibilities  relating  to  cybersecurity 
R&D  were  not  specifically  described. 

Possible  Updates 

Various  concerns  have  been  raised  about  the  ways  in  which  the  act  addressed  cybersecurity,  and  a 
number  of  proposals  have  been  made  since  its  enactment  to  enhance  the  cybersecurity  provisions. 
In  the  1 1 1th  Congress,  the  most  comprehensive  legislative  proposal  was  in  S.  3480,  which  was 
reported  out  of  the  Senate  Committee  on  Homeland  Security  and  Governmental  Affairs  in  the 
1 1 1th  Congress,  and  reintroduced  in  the  1 12th  Congress  as  S.  413  with  minor  modifications.  It 
would  add  provisions  on  cybersecurity  that  would 

• establish  a center  for  cybersecurity  and  communications  within  DHS; 

• require  coordination  with  the  DHS  Office  of  Infrastructure  Protection  and  sector- 
specific  agencies; 

• establish  the  United  States  Computer  Emergency  Readiness  Team  (US-CERT) 
within  the  center; 

• stipulate  information-sharing  procedures  for  federal  agencies  and  other  entities; 

• establish  a program  within  the  center  to  provide  assistance  to  the  private  sector; 

• require  the  center  to  identify  cyber  vulnerabilities  to  critical  infrastructure  and 
establish  requirements  to  address  them; 

• establish  procedures  for  response  to  imminent  cyber  threats  to  critical 
infrastructure,150  enforcement  of  requirements,  and  protection  of  information;  and 

• require  a risk-management  strategy  for  security  of  the  supply  chain. 

It  would  establish  a cybersecurity  R&D  program  in  DHS  and  require  coordination  of  those 
activities  with  other  agencies  and  private  entities.  It  would  also  establish  a public/private-sector 
cybersecurity  advisory  council. 

The  White  House  Proposal  would  also  substantially  enhance  DHS  authority  relating  to 
cybersecurity.  The  proposal  would  differ  in  several  ways  from  the  approach  taken  by  S.  413. 
Among  other  differences,  it  would  provide  enhanced  authority  to  the  DHS  Secretary  that  S.  413 
provides  directly  to  a new  center  within  the  department.  However,  the  White  House  Proposal 
would  require  the  Secretary  to  establish  a center  with  cybersecurity  responsibilities  for  federal 
and  critical  infrastructure  systems.151  It  also  does  not  codify  the  establishment  of  US-CERT, 


150  See  also  “Communications  Act  of  1934”  above. 

151  This  center  would  presumably  replace  the  federal  incident  center  currently  required  under  44  U.S.C.  3546.  The 
revision  of  the  Federal  Information  Security  Management  Act  of  2002  (FISMA)  in  the  White  House  Proposal  does  not 
include  the  latter  center. 
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unlike  S.  413,  and  does  not  provide  the  President  with  the  authority  to  implement  emergency 
actions  in  response  to  an  imminent  risk  to  critical  infrastructure.  It  does,  however,  provide  the 
DHS  Secretary  with  authority  to  direct  responses  of  federal  agencies  to  cybersecurity  threats  or 
incidents. 

S.  2105  and  S.  3414  contain  elements  of  both  the  WJute  House  Proposal  and  S.  413.  They  would 
establish  a new  center,  with  new  authorities,  but  omit  the  provision  in  S.  413  establishing  US- 
CERT  by  law,  as  well  as  the  provision  on  presidential  emergency  powers.  S.  2105  and  S.  3414 
would  require  the  Science  and  Technology  Directorate  of  DHS  to  establish  a cybersecurity  R&D 
plan.  S.  1546  would  also  require  departmental  cybersecurity  research. 

H.R.  3674,  as  reported  to  the  House,  would  provide  additional  responsibilities  and  authorities  to 
DHS  for  the  protection  of  federal  information  systems.  It  would  provide  for  information  sharing 
with  federal  and  nonfederal  entities,  cybersecurity  research  and  development  (R&D),  and 
recruitment  and  retention  of  cybersecurity  personnel.  To  facilitate  information  sharing  and 
technical  assistance,  it  would  create  a center  within  DHS  that  would  include  a private-sector 
board  of  advisors.  Unlike  the  bill  as  introduced,  it  does  not  include  a nongovernmental 
clearinghouse  for  sharing  cybersecurity  information  between  the  private  sector  and  the  federal 
government  that  was  recommended  by  the  Task  Force  Report.  H.R.  3674  would  also  require  DHS 
to  perform  cybersecurity  R&D,  to  include  testing,  evaluation,  and  technology  transfer. 

Some  other  bills  in  the  1 1 1th  Congress  would  also  have  revised  the  act.  H.R.  6423,  reintroduced  as 
H.R.  174  in  the  1 12th  Congress,  would  establish  a new  office  to  develop,  oversee,  and  enforce 
cybersecurity  compliance  for  critical  infrastructure  sectors.  H.R.  266,  reintroduced  as  H.R.  76, 
would  add  a cybersecurity  fellowship  program  for  nonfederal  officials  to  familiarize  them  with 
DHS  cybersecurity  activities.  H.R.  4507  and  H.R.  4842  would  have  added  a cybersecurity 
training  initiative  for  first  responders  and  others.  H.R.  2868  and  S.  3599  would  have  added 
chemical-facility  security  measures,  including  cybersecurity,  to  the  act. 

See  also  “Information  Sharing.” 


Federal  Information  Security  Management  Act  of  2002  (FISMA) 

P.L.  107-296  (Title  X),  116  Stat.  2259. 

P.L.  107-347  (Title  111),  116  Stat.  2946. 

44  U.S.C.  Chapter  35,  Subchapters  11  and  111,  [40  U.S.C.  11331,  15  U.S.C.  278g-3  & 4].152 

Major  Relevant  Provisions 

FISMA  created  a security  framework  for  federal  information  systems,  with  an  emphasis  on  risk 
management,  and  gave  specific  responsibilities  to  the  Office  of  Management  and  Budget  (OMB), 
the  National  Institute  of  Standards  and  Technology  (NIST),  and  the  heads,  chief  information 


1,2  FISMA  was  originally  enacted  as  part  of  the  Homeland  Security  Act  of  2002,  replacing  provisions  enacted  by  the 
Floyd  D.  Spence  National  Defense  Authorization  Act  for  Fiscal  Year  2001  (P.L.  106-398,  Title  X,  Subtitle  G),  enacted 
in  2000  but  with  a 2002  sunset.  FISMA  was  reenacted  in  the  same  Congress  by  the  E-government  Act.  Subchapter  II  is 
not  in  effect.  The  title  40  provision  was  originally  enacted  as  part  of  the  Clinger-Cohen  Act  (see  p.  39),  and  the  title  15 
provisions  are  part  of  the  NIST  Act  (see  p.  23).  See  footnote  154  for  more  detail. 
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officers  (CIOs),  chief  information  security  officers  (CISOs),  and  inspector  generals  (IGs)  of 
federal  agencies.153 

• Required  executive  agencies  to  inventory  major  computer  systems,  identify  and 
provide  appropriate  security  protections,  and  develop,  document,  and  implement 
agency-wide  information  security  programs. 

• Gave  OMB  responsibility  for  overseeing  federal  information-security  policy  and 
evaluating  agency  information-security  programs,  but  exempted  national  security 
systems,  except  with  respect  to  enforcement  of  accountability  for  meeting 
requirements  and  reporting  to  Congress. 

• Revised  the  responsibilities  of  the  Secretary  of  Commerce  and  NIST  for 
information-system  standards  and  transferred  responsibility  for  promulgation  of 
those  standards  from  the  Secretary  of  Commerce  to  OMB.154 

• Required  that  NIST  cybersecurity  standards  be  complementary  with  those 
developed  for  national  security  systems,  to  the  extent  feasible. 

• Required  heads  of  federal  agencies  to  provide  security  protections  commensurate 
with  risk  and  to  comply  with  applicable  security  standards.  Specifically  required 
agencies  using  national  security  systems  to  provide  security  protections 
commensurate  with  risk  and  in  compliance  with  standards  for  such  systems. 

• Required  senior  agency  officials  to  perform  risk  assessments,  to  determine  and 
implement  necessary  security  controls  in  a cost-effective  manner,  and  to  evaluate 
those  controls  periodically. 

• Designated  specific  information-security  responsibilities  for  agencies’  chief 
information  security  officers,  including  agency-wide  information-security 
programs,  policies,  and  procedures,  and  training  of  security  and  other  personnel. 

• Required  designation  of  an  information-security  officer  in  each  agency,  security 
awareness  training,  processes  for  remedial  action  to  address  deficiencies,  and 
procedures  for  handling  security  incidents  and  ensuring  continuity  of  operations. 

153  For  a more  detailed  description,  see,  for  example.  Government  Accountability  Office,  Information  Security: 
Weabiesses  Continue  Amid  New  Federal  Efforts  to  Implement  Requirements,  GAO- 12-137,  October  2011, 
http://www.gao  .gov/new.  items/ d 1 2 1 3 7 .pdf. 

154  The  standards-promulgation  authority  had  been  granted  to  the  Secretary  of  Commerce  under  the  Clinger-Cohen  Act 
of  1996  (P.L.  104-106)  but  was  transferred  to  the  Director  of  OMB  by  the  FISMA  title  in  the  HSA  in  2002  (P.L.  107- 
296,  Section  1002,  40  U.S.C.  11331).  The  version  currently  in  effect  (44  U.S.C.  Chapter  35,  Subchapter  III)  was 
enacted  by  the  FISMA  title  in  the  E-Government  Act  of  2002  (P.L.  107-347,  Title  III),  which  suspended  Subchapter  II, 
which  had  been  revised  by  the  HSA.  That  is  not  the  case  for  40  U.S.C.  1 1 33 1 , for  which  the  P.L.  107-347  version 
would  have  retained  the  authority  of  the  Secretary  of  Commerce  to  promulgate  those  standards  as  established  in  the 
Clinger-Cohen  Act  of  1996  (see  p.  39),  even  though  the  E-Government  Act  was  enacted  after  the  HSA.  Similarly,  the 
revision  to  the  NIST  Act  at  15  U.S.C.  278g-3  & 4 is  that  made  by  the  HSA.  The  reason  for  this  potentially  confusing 
difference  appears  to  be  that  (1)  the  effective  date  of  HSA  was  later  than  that  of  the  E-Government  Act,  and  (2)  HSA 
amended  the  existing  subchapter  II  of  44  U.S.C.  Chapter  35;  the  E-Government  Act  explicitly  suspended  that 
subchapter.  In  contrast,  the  revisions  both  laws  made  to  the  Paperwork  Reduction  Act,  adding  a subsection  (c)  to  44 
U.S.C.  §3505  (requiring  inventories  of  federal  information  systems)  were  codified.  However,  in  a signing  statement  for 
the  E-Government  Act,  President  George  W.  Bush  stated  that  the  Administration  would  interpret  the  act  as  permanently 
superseding  HSA  “in  those  instances  where  both  Acts  prescribe  different  amendments  to  the  same  provisions  of  the 
United  States  Code”  (President  George  W.  Bush,  “About  E-Gov:  Presidential  Statement,”  December  17,  2002, 
http://georgewbush-whitehouse.archives.gov/omb/egov/g-3-statement.html).  Such  ambiguities  in  interpretation  would 
presumably  be  resolved  if  FISMA  is  revised. 
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• Required  annual  agency  reports  to  Congress,  performance  plans,  and  independent 
evaluations  of  information  security. 

• Established  a central  federal  incident  center,  overseen  by  OMB,  to  analyze 
incidents  and  provide  technical  assistance  relating  to  them,  to  inform  agency 
operators  about  current  and  potential  threats  and  vulnerabilities,  and  to  consult 
with  NIST,  NSA,  and  other  appropriate  agencies  about  incidents. 

• Gave  responsibility  for  protection  of  mission-crucial  systems  in  DOD  and  the 
CIA  to  the  Secretary  of  Defense  and  the  DC1,  respectively,  and  required  the 
Secretary  of  Defense  to  include  compliance  with  the  provisions  above  in 
developing  program  strategies  for  the  Defense  Information  Assurance  Program 
(10U.S.C.  §2224). 

Possible  Updates 

A commonly  expressed  concern  about  F1SMA  is  that  it  is  awkward  and  inefficient  in  providing 
adequate  cybersecurity  to  government  IT  systems.  The  causes  cited  have  varied  but  common 
themes  have  included  inadequate  resources,  a focus  on  procedure  and  reporting  rather  than 
operational  security,  lack  of  widely  accepted  cybersecurity  metrics,  variations  in  agency 
interpretation  of  the  mandates  in  the  act,  excessive  focus  on  individual  information  systems  as 
opposed  to  the  agency’s  overall  information  architecture,  and  insufficient  means  to  enforce 
compliance  both  within  and  across  agencies.155  Several  legislative  proposals  in  the  1 1 1th  and  1 12th 
Congresses  have  included  major  revisions  to  the  act.  The  proposals  varied  in  detail,  with  several 
notable  provisions  in  some: 

• Creation  of  a White  House  office  with  responsibility  for  cybersecurity; 

• Transfer  of  responsibilities  from  OMB  to  the  Secretary  of  Homeland  Security  or 
the  Secretary  of  Commerce; 

• Revisions  to  agency  responsibilities  under  the  act,  including  continuous 
monitoring,  use  of  metrics,  and  emphasis  on  risk-based  rather  than  minimum 
security  measures; 

• Changes  in  reporting  requirements; 

• Specification  of  cybersecurity  requirements  for  acquisitions  and  the  IT  supply 
chain;  and 

• Establishment  of  mechanisms  for  interagency  collaboration  on  cybersecurity. 


155  See,  for  example,  S.Rept.  1 11-368,  and  House  Subcommittee  on  Government  Management,  Organization,  and 
Procurement,  The  State  of  Federal  Information  Security,  Committee  on  Oversight  and  Government  Reform 
(Washington,  DC:  U.S.  Government  Printing  Office,  2009),  http://www.gpo.gov/fdsys/pkg/CHRG-l  1 lhhrg57125/pdf/ 
CHRG-1 1 lhhrg57125.pdf.  OMB  has  recently  attempted  to  address  some  of  the  operational  issues  administratively  by 
delegating  some  responsibilities  to  DHS  (Orszag  and  Schmidt,  “Clarifying  Cybersecurity  Responsibilities  and 
Activities  of  the  Executive  Office  of  the  President  and  the  Department  of  Homeland  Security  (DHS)”).  Weaknesses  in 
FISMA  implementation  have  been  cited  repeatedly  by  GAO  in  reports  required  by  the  act  (see,  for  example, 
Government  Accountability  Office,  Information  Security:  Weaknesses  Continue  Amid  New  Federal  Efforts  to 
Implement  Requirements). 
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In  the  1 1 1th  Congress,  H.R.  5136  passed  in  the  House,156  and  S.  3480  was  reported  out  of  the 
Senate  Homeland  Security  and  Governmental  Affairs  Committee. 

In  the  1 12th  Congress,  the  Task  Force  Report  recommends  an  increased  focus  on  monitoring, 
support  for  DHS  authority,  and  taking  new  and  emerging  technologies,  such  as  cloud  computing, 
into  account.157  H.R.  1136  would  make  many  changes  similar  to  those  in  H.R.  5136  in  the  1 1 1th 
Congress,  transferring  responsibility  to  a new  White  House  Office  for  Cyberspace  created  by  the 
bill.  H.R.  4257,  in  contrast,  retains  the  current  role  of  the  OMB  Director.  H.R.  4257  passed  the 
House  under  suspension  of  the  rules  in  April  2012. 

S.  413  would  make  changes  similar  to  those  in  S.  3480  in  the  previous  Congress,  transferring 
responsibility  for  federal  information  security  policy  from  the  Director  of  OMB  to  the  Director  of 
a new  DHS  center  that  the  bill  would  establish.  The  White  House  Proposal  is  broadly  similar  to 
congressional  proposals  in  many  details.  However,  it  would  not  create  a White  House 
cybersecurity  office  and  would  transfer  responsibilities  to  the  DHS  Secretary  rather  than  to  a new 
cybersecurity  center  within  DHS.  S.  2105  and  S.  3414  include  a similar  approach.  S.  2151  and  S. 
3342,  in  contrast,  would  transfer  responsibilities  from  OMB  to  the  Secretary  of  Commerce. 

S.  1535  would  require  that  agency  information  security  programs  assess  the  practices  of 
contractors  and  third  parties  with  respect  to  sensitive  personally  identifiable  information  as 
defined  in  the  bill  and  ensure  that  any  deficiencies  are  remediated. 

See  also  “FISMA  Reform.” 


Terrorism  Risk  Insurance  Act  of  2002 

P.L.  107-297,  116  Stat.  2322. 

15  U.S.C.  §6701  nt.158 

Major  Relevant  Provisions 

• Provides  federal  cost-sharing  subsidies  for  insured  losses  resulting  from  acts  of 
terrorism. 

Possible  Updates 

The  act  is  intended  to  provide  incentives  for  the  development  of  insurance  coverage  for  losses 
from  acts  of  terrorism.  Losses  from  cyber  attacks  are  not  specifically  included,  and  some 
observers  have  raised  concerns  about  whether  some  modification  of  the  act  would  be 
appropriate.159 


156  The  bill  included  provisions  from  H.R.  4900,  which  was  ordered  reported  by  the  House  Oversight  and  Government 
Reform  Committee. 

157  House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  13. 

158  The  original  act  was  amended  by  P.L.  109-144,  the  Terrorism  Risk  Extension  Act  of  1995,  and  P.L.  1 10-160,  the 
Terrorism  Risk  Insurance  Program  Reauthorization  Act  of  2007.  For  classification  details,  see  15  U.S.C.  6701  nt. 

159  See,  for  example,  Karen  C.  Yotis,  “TRIA  and  the  Perils  of  Terrorism  Insurance,”  Viewpoint,  Summer  2007, 
http://www.aaisonline.com/viewpoint/07sum6.html. 
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Cyber  Security  Research  and  Development  Act,  2002 

P.L.  107-305,  116  Stat.  2367, 

15  U.S.C.  [§§278g,h],  §7401  etseq.160 

Major  Relevant  Provisions 

• Requires  the  National  Science  Foundation  (NSF)  to  award  grants  for  basic 
research  to  enhance  computer  security  and  for  improving  undergraduate  and 
master’s  degree  programs,  doctoral  research,  and  faculty  development  programs 
in  computer  and  network  security;  and  to  establish  multidisciplinary  centers  for 
research  on  computer  and  network  security. 

• Requires  NIST  to  establish  programs  to  award  postdoctoral  and  senior  research 
fellowships  in  cybersecurity  and  to  assist  institutions  of  higher  learning  that 
partner  with  for-profit  entities  to  perform  cybersecurity  research;  to  perform 
intramural  specified  cybersecurity  research;  and  to  develop  a checklist  of  security 
settings  for  federal  computer  hardware  and  software  for  voluntary  use  by  federal 
agencies. 

Possible  Updates 

A commonly  expressed  concern  about  federal  research  and  development  (R&D)  relating  to 
cybersecurity  has  been  that  it  is  insufficiently  coordinated  and  prioritized,  and  focuses  too  little 
on  understanding  of  fundamental  principles  and  using  them  to  develop  transformational 
technologies.  The  George  W.  Bush  Administration  attempted  to  address  the  latter  gap  through  the 
“leap-ahead”  technology  component  of  the  Comprehensive  Cybersecurity  Initiative.161  The 
Obama  Administration’s  policy  review162  also  called  for  expanded,  transformational  research. 

Concerns  have  also  been  raised  about  the  need  to  improve  the  process  by  which  NIST  creates 
checklists  and  other  guidance  and  technical  standards  for  federal  IT  systems.163 

FI.R.  4061  in  the  1 1 1th  Congress  would  have  addressed  those  concerns  by  revising  the  act.  A 
similar  bill  in  the  1 12th  Congress,  FI.R.  2096,  would,  as  amended,  expand  NSF  R&D  programs  in 
cybersecurity,  and  require  NIST  to  develop  automated  security  specifications  for  its  cybersecurity 
standards,  checklists,  and  associated  data.  S.  2105,  S.  2151,  S.  3342,  and  S.  3414  would  also 
expand  cybersecurity  topics  addressed  by  NSF. 


160  15  U.S.C.  §§278g,h  are  part  of  the  NIST  Act  (see  p.  23). 

161  See,  for  example,  NITRD,  “About  the  NITRD  Program:  National  Cyber  Leap  Year”,  July  22,  2009, 
http://www.nitrd.gov/leapyear/index.aspx. 

162  The  White  House,  Cyberspace  Policy  Review. 

163  See,  for  example,  H.Rept.  1 1 1-405,  CSIS  Commission  on  Cybersecurity  for  the  44th  Presidency,  A Human  Capital 
Crisis  in  Cybersecurity,  July  2010,  http://csis.org/files/publication/ 
100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf. 
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E-Government  Act  of  2002 

P.L.  107-347,  116  Stat.  2899. 

5 U.S.C.  Chapter  37,  44  U.S.C.  3501  nt„  44  U.S.C.  Chapter  35,  Subchapter  2,  and  Chapter  36. 

Major  Relevant  Provisions 

Serves  as  the  primary  legislative  vehicle  to  guide  federal  IT  management  and  initiatives  to  make 
information  and  services  available  online.  Significant  provisions  include  the  following: 

• Established  the  Office  of  Electronic  Government  within  OMB,  to  be  headed  by 
an  administrator  with  a range  of  IT  management  responsibilities,  including 
cybersecurity. 

• Established  the  interagency  CIO  (Chief  Information  Officer)  Council  and 
specified  working  with  the  National  Institute  of  Standards  and  Technology 
(NIST)  on  security  standards  as  one  of  its  functions. 

• Assigned  agency  CIOs  responsibility  for  monitoring  implementation  of  federal 
cybersecurity  standards  in  their  agencies. 

• Contains  various  other  requirements  for  security  and  protection  of  confidential 
information,  including  electronic  authentication  and  privacy  guidelines. 

• Established  a five-year  personnel  exchange  program  between  federal  agencies 
and  private  sector  organizations  to  help  agencies  fill  IT  management  training 
needs. 

• Also  included  the  “Federal  Information  Security  Management  Act  of  2002 
(F1SMA).” 

Possible  Update 

The  White  House  Proposal  would  renew  the  personnel  exchange  program,  which  terminated  at 
the  end  of  2007,  and  remove  the  current  restriction  in  eligibility  to  management  personnel.  While 
this  program  would  be  applicable  to  any  subdiscipline  of  IT,  a widely  held  belief  at  present  is  that 
gaps  in  cybersecurity  expertise  are  of  particular  concern.  S.  1732  would  revise  the  privacy 
provisions  to  account  for  the  increased  commercial  availability  of  personally  identifiable 
information,  which  the  bill  defines  broadly.164  It  would  also  require  agencies  to  designate  chief 
privacy  officers  and  create  a council  of  them,  and  broaden  OMB’s  privacy  responsibilities. 


164  It  would  include  “any  information  about  an  individual  maintained  by  an  agency.” 
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Identity  Theft  Penalty  Enhancement  Act 

P.L.  108-275,  118  Stat.  831. 

18  U.S.C.  §§1028,  1028A.165 

Major  Relevant  Provisions 

• Established  penalties  for  aggravated  identity  theft,  in  which  a convicted 
perpetrator  could  receive  additional  penalties  (two  to  five  years’  imprisonment) 
for  identity  theft  committed  in  relation  to  other  federal  crimes.166 

Possible  Updates 

While  the  number  of  reported  incidents  of  identity  theft  fell  in  2010,  identity  theft  has  generally 
been  the  fastest  growing  type  of  fraud  in  the  United  States  over  the  past  decade.167  FTC  complaint 
data  indicate  that  the  most  common  fraud  complaint  received  (19%  of  all  consumer  fraud 
complaints  in  2010)  has  remained  that  of  identity  theft.168  In  2010,  for  instance,  about  8. 1 million 
Americans  were  reportedly  victims  of  identity  theft.  This  is  a decrease  of  about  28%  from  the 
approximately  11.1  million  who  were  victimized  in  2009. 169  Javelin  Strategy  and  Research 
estimates  that  identity  theft  cost  consumers  about  $37  billion  in  2010. 

The  most  recent  congressional  action  taken  to  enhance  the  identity  theft  laws  was  through  the 
Identity  Theft  Enforcement  and  Restitution  Act  of  2008  (Title  11  of  RL.  1 1 0-326).  Among  other 
elements,  several  of  which  were  recommended  by  a presidential  task  force  in  2007, 170  the  act 
authorized  restitution  to  identity  theft  victims  for  their  time  spent  recovering  from  the  harm 
caused  by  the  actual  or  intended  identity  theft.  Legislation  has  not  yet,  however,  adopted 
recommendations  of  the  task  force  to 

• amend  the  identity  theft  and  aggravated  identity  theft  statutes  so  that  thieves  who 
misappropriate  the  identities  of  corporations  and  organizations — and  not  just  the 
identities  of  individuals — can  be  prosecuted,171  and 

• amend  the  aggravated  identity  theft  statute  by  adding  new  crimes  as  predicate 
offenses172  for  aggravated  identity  theft  violations.173 


165  Prepared  by  Kristin  M.  Finklea,  Analyst  in  Domestic  Security  (kfmklea@crs.loc.gov,  7-6259).  For  classification 
details,  see  18  U.S.C.  §1028  nt. 

166  Examples  of  such  federal  crimes  include  theft  of  public  property,  theft  by  a bank  officer  or  employee,  theft  from 
employee  benefit  plans,  false  statements  regarding  Social  Security  and  Medicare  benefits,  several  fraud  and 
immigration  offenses,  and  specified  felony  violations  pertaining  to  terrorist  acts. 

167  For  more  infonnation  on  identity  theft,  see  CRS  Report  R40599,  Identity  Theft:  Trends  and  Issues,  by  Kristin  M. 
Finklea. 

168  Federal  Trade  Commission,  Consumer  Sentinel  Network  Data  Book  for  January— December,  2010,  March  2010, 
http  ://www.  ftc.gov/  sentinel/ reports/ sentinel-annual-reports/ sentinel-cy20 1 0 .pdf. 

169  Javelin  Strategy  & Research,  2011  Identity  Fraud  Survey  Report:  Consumer  Version,  February  201 1,  p.  5 (available 
at  https://www.javelinstrategy.com/brochure/207). 

170  The  President’s  Identity  Theft  Task  Force,  Combating  Identity  Theft:  A Strategic  Plan,  April  2007, 
http://www.identitytheft.gov/reports/StrategicPlan.pdf. 

171  This  would  involve  revision  of  18  U.S.C.  §§1028  and  1028A. 

172  A predicate  offense  can  be  described  as  a crime  that  is  a component  of  a more  serious  offense.  For  example,  in  the 
(continued...) 
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The  task  force  recommended  that  Congress  clarify  the  identity  theft  and  aggravated  identity  theft 
statutes  to  cover  both  individuals  and  organizations  targeted  by  identity  thieves  because  the  range 
of  potential  victims  includes  not  only  individuals  but  organizations  as  well.  The  task  force  cites 
“phishing”  as  a means  by  which  identity  thieves  assume  the  identity  of  a corporation  or 
organization  in  order  to  solicit  personally  identifiable  information  from  individuals.174 

In  part  because  identity  theft  is  a facilitating  crime,  and  the  criminal  act  of  stealing  someone’s 
identity  often  does  not  end  there,  investigating  and  prosecuting  identity  theft  often  involves 
investigating  and  prosecuting  a number  of  related  crimes.  In  light  of  this  interconnectivity,  the 
task  force  recommended  expanding  the  list  of  predicate  offenses  for  aggravated  identity  theft.  The 
task  force  specifically  suggested  adding  identity  theft-related  crimes  such  as  mail  theft,175 
counterfeit  securities,176  and  tax  fraud.177 

The  Task  Force  Report  also  recommends  requiring  restitution  for  victims  of  identity  theft  and 
computer  fraud.178  At  present,  the  statute  authorizes  restitution  but  does  not  require  it. 


Intelligence  Reform  and  Terrorism  Prevention  Act  of  2004  (IRTPA) 

P.L.  108-458,  118  Stat.  3638. 

42  U.S.C.  §2000ee,  50  U.S.C.  §403-1  et  seq.,  §403-3  et  seq.,  §404o  et.  seq.179 


Major  Relevant  Provisions 

• Established  the  position  of  the  Director  of  National  Intelligence. 

• Establishes  mission  responsibilities  for  some  entities  in  the  intelligence, 
homeland  security,  and  national  security  communities. 

• Discusses  issues  related  to  the  collection,  analysis,  and  sharing  of  security-related 
information. 

• Establishes  a Privacy  and  Civil  Liberties  Board  within  the  Executive  Office  of 
the  President. 

Possible  Updates 

The  act  does  not  contain  a single  reference  to  cyber,  cybersecurity,  or  related  activities.  Its  stated 
purpose  is  to  “reform  the  intelligence  community  and  the  intelligence  and  intelligence-related 


(...continued) 

case  of  money  laundering,  the  crime  that  produces  the  funds  that  are  to  be  laundered  is  the  predicate  offense. 

173  This  would  involve  revision  of  18  U.S.C.  §1028A. 

174  The  President’s  Identity  Theft  Task  Force,  Combating  Identity  Theft:  A Strategic  Plan,  pp.  91  - 92. 

175  18  U.S.C.  §1708. 

176  18  U.S.C.  §513. 

177  26  U.S.C.  §7201,  7206-7207. 

1 3 House  Republican  Cybersecurity  Task  Force,  Recommendations,  p.  14. 

179  Prepared  by  John  Rollins,  Specialist  in  Terrorism  and  National  Security  (jrollins@crs.loc.gov,  7-5529). 
Classification  of  this  act  is  complex.  For  details,  see  50  U.S.C.  §401  nt. 
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activities  of  the  United  States  Government,  and  for  other  purposes.”  The  act  contains  findings  and 
recommendations  offered  in  the  9/11  Commission  Report180  and  other  assessments  that  address 
national  and  homeland  security  shortcomings  associated  with  the  terrorist  attacks  of  September 
11,2001. 

Numerous  organizations,  programs,  and  activities  in  the  act  currently  address  cybersecurity- 
related  issues.  1RPTA  addresses  many  types  of  risks  to  the  nation  and  threats  emanating  from 
man-made  and  naturally  occurring  events.  The  broad  themes  of  the  act  could  be  categorized  as 
how  the  federal  government  identifies,  assesses,  defeats,  responds  to,  and  recovers  from  current 
and  emerging  threats.  The  act  might  be  updated  to  incorporate  cybersecurity-related  issues. 
However,  any  such  update  could  affect  numerous  organizations  and  activities.181 


lso  National  Commission  on  Terrorist  Attacks  Upon  the  United  States,  The  9/11  Commission  Report,  July  22,  2004, 
http://www.9-l  lcommission.gov/report/91  lReport.pdf. 

1 s 1 For  more  information  on  threats,  responses,  and  issues  associated  with  cyberterrorism,  see  CRS  Report  R4 1 674, 
Terrorist  Use  of  the  Internet:  Information  Operations  in  Cyberspace,  by  Catherine  A.  Theohary  and  John  Rollins. 
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Table  2.  Laws  Identified  as  Having  Relevant  Cybersecurity  Provisions 


CRS 

Year  Popular  Name  Law  Stat.  U.S.C.  Applicability  and  Notes  Reports 


6/18/1878 

Posse  Comitatus  Act 

Ch. 

20  Stat. 

18  U.S.C. 

Restricts  the  use  of  military  RS20590 

(P-21) 

263 

152 

§1385 

forces  in  civilian  law 
enforcement  within  the  United 

States.  May  prevent  assistance 
to  civil  agencies  that  lack  DOD 
expertise  and  capabilities. 

7/2/1890 

Antitrust  Laws: 

and  later 

(p.  22) 

Sherman  Antitrust 

Ch. 

26  Stat. 

15  U.S.C. 

“Antitrust  laws”  generally 

Act, 

647 

209 

§§l-7 

means  the  three  laws  listed  in 

Wilson  Tariff  Act 

Ch. 

28  Stat. 

15  U.S.C. 

15  U.S.C.  § 12(a)  and  Sec.  5 of 

349, 

570 

§§8- 1 1 

the  FTC  Act,  which  forbid 

Clayton  Act 

§73 

combinations  or  agreements 

Sec.  5 of  the  Federal 

P.L. 

38  Stat. 

15  U.S.C. 

that  unreasonably  restrain 

Trade  Commission 

63- 

730 

§§12-27 

trade.  May  create  barriers  to 

(FTC)  Act 

212 

38  Stat. 

15  U.S.C. 

sharing  of  information  or 

Ch, 

719 

§45  (a) 

collaboration  to  enhance 

31  1, 

cybersecurity  among  private 

§5 

sector  entities. 

3/3/1901 

National  Institute  of 

Ch. 

3 1 Stat. 

15  U.S.C. 

The  original  act  gave  the 

Standards  and 

872 

1449 

§27 1 et  seq. 

agency  responsibilities  relating 

Technology  (NIST)  Act 

to  technical  standards.  Later 

(P-24) 

amendments  established  a 

computer  standards  program 
and  specified  research  topics, 
among  them  computer  and 
telecommunication  systems, 
including  information  security 
and  control  systems. 

8/1 3/1 912 

Radio  Act  of  1912 

Ch. 

37  Stat. 

Established  a radio  licensing 

287 

302 

regime  and  regulated  private 
radio  communications,  creating 
a precedent  for  wireless 
regulation. 

Repealed  by  the  Radio  Act  of 
1927. 

6/10/1920 

Federal  Power  Act 

Ch. 

41  Stat. 

16  U.S.C. 

Established  the  Federal  Energy  R4I886 

(P-  24) 

285 

1063 

§79 1 a et 

Regulatory  Commission 

seq.,  §824 

(FERC)  and  gave  it  regulatory 

et  seq. 

authority  over  interstate  sale 

and  transmission  of  electric 
power.  The  move  toward  a 
national  smart  grid  is  raising 
concerns  about  vulnerability  to 
cyber  attack. 
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CRS 

Year 

Popular  Name 

Law 

Stat. 

U.S.C. 

Applicability  and  Notes 

Reports 

2/23/1927 

Radio  Act  of  1 927 

Ch. 

44  Stat. 

Created  the  Federal  Radio 

169 

1162 

Commission  as  an  independent 
agency  (predecessor  of  the 
FCC)  and  outlawed 
interception  and  divulging 
private  radio  messages. 
Repealed  by  the 
Communications  Act  of  1934 
(see  p.  25). 

6/19/1934 

Communications  Act 

Ch. 

48  Stat. 

47  U.S.C. 

Established  the  Federal 

RL32589 

of  1 934  (p.25  ) 

652 

1064 

§ 1 5 1 et  seq. 

Communications  Commission 

RL34693 

(FCC)  and  gave  it  regulatory 
authority  over  both  domestic 
and  international  commercial 
wired  and  wireless 
communications.  Provides  the 
President  with  emergency 
powers  over  communications 
stations  and  devices.  Governs 
protection  by  cable  operators 
of  information  about 
subscribers. 

7/26/1947  National  Security  Act  Ch.  61  Stat.  50  U.S.C.  Provided  the  basis  for  the 

of  1947  (p.  26)  343  495  §40letseq.  modern  organization  of  U.S. 

defense  and  national  security 
by  reorganizing  military  and 
intelligence  functions  in  the 
federal  government.  Created 
the  National  Security  Council, 
the  Central  Intelligence 
Agency,  and  the  position  of 
Secretary  of  Defense. 
Established  procedures  for 
access  to  classified  information. 


1/27/1948  US  Information  and  Ch.  62  Stat. 
Educational  Exchange  36  6 

Act  of  1 948 
(Smlth-Mundt  Act) 

(p.  26) 


22  U.S.C.  Restricts  the  State  Department  R4 1 674 

§1431  et  from  disseminating  public 

seq.  diplomacy  information 

domestically  and  limits  its 
authority  to  communicate  with 
the  American  public  in  general. 

Has  been  interpreted  by  some 
to  prohibit  the  military  from 
conducting  cyberspace 
information  operations,  some 
of  which  could  be  considered 


propaganda  that  could  reach 
U.S.  citizens,  since  the 
government  does  not  restrict 
Internet  access  according  to 
territorial  boundaries. 
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CRS 

Year  Popular  Name  Law  Stat.  U.S.C.  Applicability  and  Notes  Reports 


9/8/1950  Defense  Production  Ch. 

Act  of  1950  932 


64  Stat.  50  U.S.C. 
798  App.  §2061 
et  seq. 


8/1/1956  State  Department  P.L.  70  Stat.  22  U.S.C. 

Basic  Authorities  Act  84-  890  §265 1 a 

of  1956  (p.  28)  885 


Codifies  a robust  legal  RS20587 

authority  given  the  President  RL3  I 1 33 

to  force  industry  to  give 

priority  to  national  security 

production  and  ensure  the 

survival  of  security-critical 

domestic  production  capacities. 

It  is  also  the  statutory 
underpinning  of  governmental 
review  of  foreign  investment  in 
U.S.  companies. 

Specifies  the  organization  of  R40989 

the  Department  of  State, 

including  the  positions  of 

coordinator  for 

counterterrorism.  As  the 

Internet  becomes  increasingly 

international,  concerns  have 

been  raised  about  the 

development  and  coordination 

of  international  efforts  in 

cybersecurity  by  the  United 

States. 


10/30/1965  Brooks  Automatic  P.L.  79  Stat. 

Data  Processing  Act  89-  1127 

306 


7/4/1966 

Freedom  of 

P.L. 

80  Stat. 

5 U.S.C. 

Information  Act 
(FOIA)  (p.  28) 

89- 

487 

250 

§552 

Gave  GSA  authority  over 
acquisition  of  automatic  data 
processing  equipment  by 
federal  agencies,  and  gave  NIST 
responsibilities  for  developing 
standards  and  guidelines 
relating  to  automatic  data 
processing  and  federal 
computer  systems. 

Repealed  by  the  Clinger-Cohen 
Act  of  1996  (see  p.  39). 

Enables  anyone  to  access  R4 1 406 

agency  records  except  those  R4 1 933 
falling  into  nine  categories  of 
exemption,  among  them 
classified  documents,  those 
exempted  by  specific  statutes, 
and  trade  secrets  or  other 
confidential  commercial  or 
financial  information. 


6/19/1 968  Omnibus  Crime 

P.L. 

82  Stat. 

42  U.S.C. 

Title  1 established  federal  grant 

Control  and  Safe 

90- 

197 

Chapter  46, 

programs  and  other  forms  of 

Streets  Act  of  1 968 

351 

§§3701  to 

assistance  to  state  and  local  law 

(p.  30) 

3797ee-l 

enforcement. 

Title  III  is  a comprehensive 
wiretapping  and  electronic 
eavesdropping  statute  that  not 
only  outlawed  both  activities  in 
general  terms  but  that  also 
permitted  federal  and  state  law 
enforcement  officers  to  use 
them  under  strict  limitations. 


Congressional  Research  Service 


54 


Federal  Laws  Relating  to  Cybersecurity:  Discussion  of  Proposed  Revisions 


CRS 

Year 

Popular  Name 

Law 

Stat. 

u.s.c. 

Applicability  and  Notes 

Reports 

10/15/1970 

Racketeer  Influenced 

P.L. 

84  Stat. 

18  U.S.C. 

Enlarges  the  civil  and  criminal 

96-950 

and  Corrupt 

91- 

941 

Chapter  96, 

consequences  of  a list  of  state 

Organizations  Act 

452 

§§1961- 

and  federal  crimes  when 

(RICO)  (p.  30) 

1968 

committed  in  a way 
characteristic  of  the  conduct  of 
organized  crime  (racketeering). 

10/6/1972 

Federal  Advisory 

P.L. 

86  Stat 

5 U.S.C. 

Specifies  conditions  for 

R40520 

Committee  Act 

92- 

770 

App.,  §§l- 

establishing  a federal  advisory 

(P-31) 

463 

16 

committee  and  its 

responsibilities  and  limitations. 
Requires  open,  public  meetings 
and  that  records  be  available 
for  public  inspection.  Has  been 
criticized  as  potentially 
impeding  the  development  of 
public/private  partnerships  in 
cybersecurity,  particularly 
private-sector  communications 
and  input  on  policy. 

1 1/7/1973 

War  Powers 

P.L. 

87  Stat. 

50  U.S.C. 

Establishes  procedures  to 

R4I 199 

Resolution 

93- 

555 

Chapter  33, 

circumscribe  presidential 

R4I989 

148 

§§1541- 

authority  to  use  armed  forces 

1548. 

in  potential  or  actual  hostilities 
without  congressional 
authorization. 

12/31/1974 

Privacy  Act  of  1974 

P.L. 

88  Stat. 

5 U.S.C. 

Limits  the  disclosure  of 

(P-31) 

93- 

1896 

§552a 

personally  identifiable 

579 

information  (Pll)  held  by 
federal  agencies.  Established  a 
code  of  fair  information 
practices  for  collection, 
management,  and  dissemination 
of  records  by  agencies, 
including  requirements  for 
security  and  confidentiality  of 
records. 

10/25/1978 

Foreign  Intelligence 

P.L. 

92  Stat. 

18  U.S.C. 

In  foreign  intelligence 

98-326 

Surveillance  Act  of 

95- 

1783 

§§2511, 

investigations,  provides  a 

R40 1 38 

1978  (FISA) 

SI  1 

2518-9, 

statutory  framework  for 

50  U.S.C. 

federal  agencies  to  obtain 

Chapter  36, 

authorization  to  conduct 

§§1801- 

electronic  surveillance,  utilize 

1885c 

pen  registers  and  trap  and 
trace  devices,  or  access 
specified  records. 

10/13/1980 

Privacy  Protection 

P.L. 

94  Stat. 

42  U.S.C. 

Protects  journalists  from  being 

Act  of  1980 

96- 

1879 

Chapter 

required  to  turn  over  to  law 

440 

21  A, 

enforcement  any  work  product 

§§2000aa-5 

and  documentary  materials, 

to  2000aa- 

including  sources,  before 

12 

dissemination  to  the  public. 
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CRS 


Year 

Popular  Name 

Law 

Stat. 

u.s.c. 

Applicability  and  Notes 

Reports 

10/12/1984 

Counterfeit  Access 

P.L. 

98  Stat. 

18  U.S.C. 

Provided  criminal  penalties  for 

97-1025 

Device  and  Computer 

98- 

2190 

§1030 

unauthorized  access  and  use  of 

Fraud  and  Abuse  Act 

473 

computers  and  networks.  Part 

of  1984  (p.  32) 

of  the  Comprehensive  Crime 
Control  Act  of  1 984. 

10/16/1986 

Computer  Fraud 

P.L. 

100 

18  U.S.C. 

Expanded  the  scope  of  the 

and  Abuse  Act  of 

99- 

Stat. 

§1030 

Counterfeit  Access  Device  and 

1986 

474 

1213 

Computer  Fraud  and  Abuse 
Act  of  1984.  For  government 
computers,  criminalized 
electronic  trespassing, 
exceeding  authorized  access, 
and  destroying  information; 
also  criminalized  trafficking  in 
stolen  computer  passwords. 
Created  a statutory  exemption 
for  intelligence  and  law 
enforcement  activities. 

10/21/1986 

Electronic 

P.L. 

100 

18  U.S.C. 

Attempts  to  strike  a balance 

R4I733 

Communications 

99- 

Stat. 

§§25  IQ- 

between  privacy  rights  and  the 

R4I756 

Privacy  Act  of  1 986 

508 

1848 

2522,  2701- 

needs  of  law  enforcement  with 

RL34693 

(ECPA)  (p.  33) 

2712,  3121- 

respect  to  data  shared  or 

3126 

stored  by  electronic  and 
telecommunications  services. 
Unless  otherwise  provided, 
prohibits  the  interception  of  or 
access  to  stored  oral  or 

electronic  communications,  use 
or  disclosure  of  information  so 
obtained,  or  possession  of 
electronic  eavesdropping 
equipment. 

10/30/1986 

Department  of 

P.L. 

100 

10  U.S.C. 

Established  unified  combatant 

Defense 

99- 

Stat. 

§167 

command  for  special 

Appropriations  Act, 

591 

3341- 

operations  forces,  including  the 

1987  (p.  35) 

82, 

U.S.  Strategic  Command,  under 

3341- 

which  the  U.S.  Cyber 

122 

Command  was  organized. 

1/8/1988 

Computer  Security 

P.L. 

101 

15  U.S.C. 

Required  NIST  to  develop  and 

Act  of  1987 

1 GO- 

Stat. 

§§272, 

the  Secretary  of  Commerce  to 

235 

1724 

278g-3, 

promulgate  security  standards 

278g-4, 

and  guidelines  for  federal 

278h 

computer  systems  except 
national  security  systems.  Also 
required  agency  planning  and 
training  in  computer  security 
(this  provision  was  superseded 
by  FISMA— see  p.  43). 

10/18/1988 

Computer  Matching 

P.L. 

102 

5 U.S.C. 

Amended  the  Privacy  Act  (see 

and  Privacy 

100- 

Stat. 

§552a 

p.  31),  establishing  procedural 

Protection  Act  of 

503 

2507 

safeguards  for  use  of  computer 

1988 

matching  on  records  covered 
by  the  act. 
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CRS 

Year 

Popular  Name 

Law 

Stat. 

u.s.c. 

Applicability  and  Notes 

Reports 

12/9/ 1991 

High  Performance 

P.L. 

105 

15  U.S.C. 

Established  a federal  high- 

RL33586 

Computing  Act  of 

102- 

Stat. 

Chapter  8 1 

performance  computing 

1991  (p.  35) 

194 

1594 

program  and  requires  that  it 
address  security  needs  and 
provide  for  interagency 
coordination. 

10/25/1994 

Communications 

P.L. 

108 

47  U.S.C. 

Requires  telecommunications 

RL30677 

Assistance  for  Law 

103- 

Stat. 

§1001  et 

carriers  to  assist  law 

Enforcement  Act 

414 

4279 

seq. 

enforcement  in  performing 

(CALEA)  of  1994 

electronic  surveillance  and 

(p.  37) 

directs  the  telecommunications 

industry  to  design,  develop,  and 
deploy  solutions  that  meet 
requirements  for  carriers  to 
support  authorized  electronic 
surveillance. 

5/25/1995 

Paperwork 

P.L. 

109 

44  U.S.C. 

Gave  the  Office  of 

Reduction  Act  of 

104- 

Stat. 

Chapter  35, 

Management  and  Budget 

1995 

13 

163 

§§3501- 

(OMB)  authority  to  develop 

3549 

information-resource 

management  polices  and 
standards,  required 
consultation  with  NIST  and 

GSA  on  information 

technology  (IT),  and  required 
agencies  to  implement 
processes  relating  to 
information  security  and 

privacy. 

2/8/1996 

Telecommunications 

P.L. 

1 10 

See  47 

Overhauled 

Act  of  1996 

104- 

Stat.  56 

U.S.C.  §609 

telecommunications  law, 

104 

nt.  for 

including  significant 

affected 

deregulation  of  U.S. 

provisions. 

telecommunications  markets, 
eliminating  regulatory  barriers 
to  competition. 

2/8/1996 

Communications 

P.L. 

1 10 

See  47 

Intended  to  regulate  indecency 

R4I499 

Decency  Act  of  1 996 

104- 

Stat. 

U.S.C. 

and  obscenity  on 

(p.  38) 

104 

133 

§§223,  230 

telecommunications  systems, 

(Title 

including  the  Internet.  Has 

V) 

been  interpreted  to  absolve 
Internet  service  providers  and 
certain  web-based  services  of 
responsibility  for  third-party 
content  residing  on  those 
networks  or  websites. 
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CRS 


Year 

Popular  Name 

Law 

Stat. 

u.s.c. 

Applicability  and  Notes 

Reports 

2/10/1996 

Clinger-Cohen  Act 

P.L. 

1 10 

40  U.S.C. 

Required  agencies  to  ensure 

(Information 

104- 

Stat. 

§1 1001  et 

adequacy  of  information- 

Technology 

106, 

642 

seq. 

security  policies,  OMB  to 

Management  Reform 

(Div. 

oversee  major  IT  acquisitions, 

Act)  of  1996)  (p.  39) 

D and 

and  the  Secretary  of 

E) 

Commerce  to  promulgate 
compulsory  federal  computer 
standards  based  on  those 
developed  by  NIST.  Exempted 
national  security  systems  from 
most  provisions. 

8/21/1996 

Health  Insurance 

P.L. 

1 10 

42  U.S.C. 

Required  the  Secretary  of 

RL34I20 

Portability  and 

104- 

Stat. 

§l320d  et 

Health  and  Human  Services  to 

Accountability  Act 

191 

1936 

seq. 

establish  security  standards  and 

of  1996  (HIPAA) 

regulations  for  protecting  the 
privacy  of  individually 
identifiable  health  information, 
and  required  covered  health- 
care entities  to  protect  the 
security  of  such  information. 

10/1  1/1996 

Economic  Espionage 

P.L. 

1 10 

18  U.S.C. 

Outlaws  theft  of  trade  secret 

Act  of  1996 

104- 

Stat. 

§1030, 

information,  including 

294 

3488 

Chapter  90, 

electronically  stored 

§§1831- 

information,  if  “reasonable 

1839 

measures"  have  been  taken  to 

keep  it  secret.  Also  contains 
the  National  Information 

Infrastructure  Protection  Act 

of  1996,  amending  18  U.S.C. 
§1030  (see  the  Counterfeit 
Access  Device  and  Computer 
Fraud  and  Abuse  Act  of  1984, 
p.  32),  broadening  prohibited 
activities  relating  to 
unauthorized  access  to 

computers. 

10/30/1998 

Identity  Theft  and 

P.L. 

1 12 

18  U.S.C. 

Made  identity  theft  a federal 

R40599 

Assumption 

1 OS- 

Stat. 

§1028 

crime,  provides  penalties,  and 

Deterrence  Act  of 

318 

3007 

directed  the  FTC  to  record 

1998  (p.  40) 

and  refer  complaints. 

10/5/1999 

National  Defense 

P.L. 

113 

10  U.S.C. 

Established  the  Defense 

Authorization  Act 

106- 

Stat. 

§2224 

Information  Assurance 

for  Fiscal  Year  2000 

65 

512 

Program  and  required 
development  of  a testbed  and 
coordination  with  other  federal 

agencies. 

1 I/I  2/1 999 

Gramm-Leach-Bliley 

P.L. 

1 13 

15  U.S.C. 

Requires  financial  institutions 

RL34I20 

Act  of  1999 

106- 

Stat. 

Chapter  94, 

to  protect  the  security  and 

RS20I85 

102 

1338 

§§6801- 

confidentiality  of  customers’ 

(Title 

6827 

personal  information; 

V) 

authorized  regulations  for  that 
purpose. 
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CRS 


Year 

Popular  Name 

Law 

Stat. 

u.s.c. 

Applicability  and  Notes 

Reports 

10/30/2000 

Floyd  D.  Spence 

P.L. 

1 14 

10  u.s.c. 

Established  the  DOD 

National  Defense 

106- 

STAT. 

Chapter 

information  assurance 

Authorization  Act 

398 

1 654A- 

1 12, 

scholarship  program;  set 

for  Fiscal  Year  200 1 

(Titles 

233; 

§§2200- 

cybersecurity  requirements  for 

IX  & 

1 654A- 

2200f 

federal  systems  superseded  by 

X) 

266 

FISMA  in  2002 

10/26/2001 

USA  PATRIOT  Act 

P.L. 

115 

see  18 

Authorized  various  law- 

R40980 

of  2001 

107- 

Stat. 

U.S.C.  §1 

enforcement  activities  relating 

56 

272 

nt.  and 

classification 

tables.3 

to  computer  fraud  and  abuse. 

7/30/2002 

Sarbanes-Oxley  Act 

P.L. 

116 

15  U.S.C. 

Requires  annual  reporting  on 

of  2002 

107- 

Stat. 

§7262 

internal  financial  controls  of 

204 

745 

covered  firms  to  the  Securities 

and  Exchange  Commission 
(SEC).  Such  controls  typically 
include  information  security. 

1 1/25/2002 

Homeland  Security 

P.L. 

1 16 

6 U.S.C. 

Created  the  Department  of 

Act  of  2002  (HSA) 

1 07- 

Stat. 

§§121-1 95c, 

Homeland  Security  (DHS)  and 

(P-41) 

296 

2135 

441-444, 

gave  it  functions  relating  to  the 

(Titles 

and  48 1 - 

protection  of  information 

II  and 

486 

infrastructure,  including 

III) 

providing  state  and  local 
governments  and  private 
entities  with  threat  and 
vulnerability  information,  crisis- 
management  support,  and 
technical  assistance. 
Strengthened  some  criminal 
penalties  relating  to 
cybercrime. 

1 1/25/2002 

Federal  Information 

P.L. 

116 

44  U.S.C. 

Created  a cybersecurity 

Security  Management 

107- 

Stat. 

Chapter  35, 

framework  for  federal 

Act  of  2002  (FISMA) 

296 

2259 

Subchapters 

information  systems,  with  an 

(p.  43) 

(Title 

II  and  III, 

emphasis  on  risk  management, 

X) 

1 16 

40  U.S.C. 

and  required  implementation  of 

P.L. 

Stat. 

1 1331, 

agency-wide  information 

107- 

2946 

15  U.S.C. 

security  programs.  Gave 

347 

278g-3  & 4 

oversight  responsibility  to 

(Title 

OMB,  revised  the 

III) 

responsibilities  of  the  Secretary 
of  Commerce  and  NIST  for 
information-system  standards, 
and  transferred  responsibility 
for  promulgation  of  those 
standards  from  the  Secretary 
of  Commerce  to  OMB. 

1 1/26/2002 

Terrorism  Risk 

P.L. 

116 

15  U.S.C. 

Provides  federal  cost-sharing 

Insurance  Act  of 

107- 

Stat. 

§6701  nt. 

subsidies  for  insured  losses 

2002  (p.  46) 

297 

2322 

resulting  from  acts  of 
terrorism. 

Congressional  Research  Service 


59 


Federal  Laws  Relating  to  Cybersecurity:  Discussion  of  Proposed  Revisions 


CRS 


Year 

Popular  Name 

Law 

Stat. 

u.s.c. 

Applicability  and  Notes  Reports 

1 1/27/2002 

Cyber  Security 

P.L. 

116 

15  U.S.C. 

Requires  the  National  Science 

Research  and 

107- 

Stat. 

§§278g,  h, 

Foundation  (NSF)  to  award 

Development  Act, 
2002  (p.  46) 

305 

2367 

7401  et  seq. 

grants  for  basic  research  and 
education  to  enhance 
computer  security.  Required 
NIST  to  establish  cybersecurity 
research  programs. 

12/17/2002 

E-Government  Act  of 

P.L. 

116 

5 U.S.C. 

Serves  as  the  primary  legislative 

2002  (p.  48) 

107- 

347 

Stat. 

2899 

Chapter  37, 
44  U.S.C. 

vehicle  to  guide  federal  IT 
management  and  initiatives  to 

§3501  nt.,  make  information  and  services 

Chapter  35,  available  online.  Established  the 
Subchapter  Office  of  Electronic 

2,  and  Government  within  OMB,  the 

Chapter  36  Chief  Information  Officers 

(CIO)  Council,  and  a 
government/private-sector 
personnel  exchange  program; 
includes  FISMA;  established  and 
contains  various  other 
requirements  for  security  and 
protection  of  confidential 
information. 


12/4/2003 

Fair  and  Accurate 

P.L. 

1 17 

See  1 5 

Required  the  FTC  and  other  RS20I85 

Credit  Transactions 

1 OS- 

Stat. 

U.S.C. 

agencies  to  develop  guidelines 

Act  of  2003 

159 

1952 

§1601  nt. 

for  identity  theft  prevention 

for  affected 

programs  in  financial 

provisions. 

institutions,  including  “red 
flags"  indicating  possible 
identity  theft. 

12/16/2003 

Controlling  the 

P.L. 

1 17 

15  U.S.C. 

Imposed  regulations  on  the 

Assault  of  Non- 

1 OS- 

Stat. 

Chapter 

transmission  of  unsolicited 

Solicited 

187 

2699 

103, 

commercial  email,  including 

Pornography  and 

§§7701- 

prohibitions  against  predatory 

Marketing  (CAN- 

7713,  18 

and  abusive  email,  and  false  or 

SPAM)  Act  of  2003 

U.S.C.  1037 

misleading  transmission  of 
information. 

7/15/2004 

Identity  Theft  Penalty 

P.L. 

1 18 

18  U.S.C. 

Established  penalties  for  R40599 

Enhancement  Act 

1 OS- 

Stat. 

§§1028, 

aggravated  identity  theft. 

2004  (p.  49) 

275 

831 

I028A 

12/17/2004 

Intelligence  Reform 

P.L. 

1 18 

42  U.S.  C. 

Created  the  position  of 

and  Terrorism 

1 OS- 

Stat. 

§2000ee,  50 

Director  of  National 

Prevention  Act  of 

458 

3638 

U.S.C. 

Intelligence  (DNI).  Established 

2004  (IRPTA)  (p.  50) 

§403-1  et 

mission  responsibilities  for 

seq.,  §403-3 

some  entities  in  the 

et  seq., 

intelligence,  homeland  security, 

§404o  et. 

and  national  security 

seq. 

communities,  and  established  a 

Privacy  and  Civil  Liberties 
Board  within  the  Executive 
Office  of  the  President. 
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Popular  Name 

Law 

Stat. 

u.s.c. 

Applicability  and  Notes 

Reports 

8/8/2005 

Energy  Policy  Act  of 

P.L. 

1 19 

16  U.S.C. 

Requires  FERC  to  certify  an 

R4I886 

2005  (EPACT) 

109- 

Stat. 

824o 

Electric  Reliability  Organization 

58 

594 

(ERO)  to  establish  and  enforce 
reliability  standards  for  bulk 
electric-power  system  facilities. 

10/4/2006 

Department  of 

P.L. 

120 

6 U.S.C. 

Sec.  550  required  the  Secretary 

Homeland  Security 

109- 

Stat. 

§121  nt. 

of  Homeland  Security  to  issue 

Appropriations  Act, 

295 

1355 

regulations  (6  C.F.R.  Part  27) 

2007 

establishing  risk-based 
performance  standards  for 
security  of  chemical  facilities; 
regulations  include 
cybersecurity  standards 
requirement  (6  C.F.R. 
§27.230(a)(8)). 

8/5/2007 

Protect  America 

P.L. 

121 

50  U.S.C. 

Provided  authority  for  the 

Act  of  2007 

1 IQ- 

Stat. 

§1801  nt. 

Attorney  General  and  the  DNI 

55 

552 

to  gather  foreign  intelligence 
information  on  persons 
believed  to  be  overseas. 

The  act  expired  in  2008. 

12/19/2007 

Energy 

P.L. 

121 

42  U.S.C. 

Gave  NIST  primary 

R4I886 

Independence  and 

1 10- 

Stat. 

§§17381- 

responsibility  for  developing 

Security  Act  of  2007 

140 

1492 

17385 

interoperability  standards  for 

(EISA) 

the  electric-power  “smart 
grid." 

7/10/2008 

Foreign  Intelligence 

P.L. 

122 

See  50 

Added  additional  procedures 

98-326 

Surveillance  Act  of 

1 IQ- 

Stat. 

U.S.C. 

to  FISA  (see  p.  55)  for 

1978  [FISA] 

261 

2436 

§1801  nt. 

acquisition  of  communications 

Amendments  Act  of 

for  affected 

of  persons  outside  the  United 

2008 

provisions. 

States. 

9/26/2008 

Identity  Theft 

P.L. 

122 

18  U.S.C. 

Authorized  restitution  to 

R40599 

Enforcement  and 

1 10- 

Stat. 

§1030 

identity  theft  victims  and 

97-1025 

Restitution  Act  of 

326 

356 

modified  some  of  the  activities 

2008 

and  penalties  covered  by  18 
U.S.C.  1030. 

2/17/2009 

Health  Information 

P.L. 

123 

42  U.S.C. 

Expanded  privacy  and  security 

R40546 

Technology  for 

1 1 1-5 

Stat. 

§17901  et 

requirements  for  protected 

Economic  and 

(Title 

226 

seq. 

health  information  by 

Clinical  Health  Act 

XIII  of 

broadening  HIPAA  breach 

Div. 

disclosure  notification  and 

A and 

privacy  requirements  to 

Title 

include  business  associates  of 

IV  of 

covered  entities. 

Div. 

B) 


Source:  Various  sources  (see  text),  including  National  Research  Council,  Toward  a Safer  and  More  Secure 
Cyberspace  (Washington,  DC:  National  Academy  Press,  2007);  The  White  House,  Cyberspace  Policy  Review,  May 
29,  2009,  http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf;  and  CRS. 

Note:  Prepared  by  Rita  Tehan,  Information  Research  Specialist  (rtehan@crs.loc.gov,  7-6739)  and  Eric  A.  Fischer. 
Laws  in  italics  are  discussed  in  the  text. 
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Congress,  Ist  Session  (Covering  Public  Laws  107-1  through  107-136),”  http://uscode.house.gov/classification/ 
tbl  1 07pl I st.htm. 
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